You can authorize users to conditionally gain access to general
resources in three ways: through port-of-entry, SMF system identifier,
and application-specific criteria.
- By port of entry:
You can require
that a user or a job have entered the system from a particular device
when accessing general resources.
- You can require that a user be logged on to a particular terminal by specifying
WHEN(TERMINAL(…)) on the PERMIT command.
The TERMINAL class must
be active for this support to take effect.
- You can require that a user be logged on to a particular console by specifying WHEN(CONSOLE(…)) on the
PERMIT command.
The CONSOLE class must be active for this support
to take effect.
- You can require the batch job accessing the resource to
have been submitted from a particular JES input device by specifying
WHEN(JESINPUT(…)) on the PERMIT command.
The JESINPUT class must
be active for this support to take effect.
- You can require that a user enter the system from
a particular partner LU by specifying WHEN(APPCPORT(…)) on the PERMIT
command.
The APPCPORT class must be active for this support to
take effect.
- You can require that a user enter the system from
an IP address contained in a particular network access security zone
by specifying the name of the SERVAUTH profile protecting that network
access security zone on the WHEN(SERVAUTH(…)) operand of the PERMIT
command.
The SERVAUTH class must be active for this support to take
effect.
- You can require that a user enter the system from an IP address
contained in a particular network access security zone only when executing
a particular program by specifying the program on the WHEN(PROGRAM)
operand of the PERMIT command, and by specifying the name of the SERVAUTH
profile protecting that network access security zone as the resource.
The
PROGRAM and SERVAUTH classes must be active for this support to take
effect.
Note: If an access list contains more than one condition, any of
the conditions allows the specified access. For example, if you enter
the PERMIT command with WHEN(CONSOLE(01) TERMINAL(20)) specified,
you allow the access when either console 01 or terminal
20 is used.
Examples:
To ensure that
an operator (or group of operators) can issue certain operator
commands only when logged on at a particular console, enter:
PERMIT profile-name CLASS(OPERCMDS) ID(user or group) ACCESS(READ)
WHEN(CONSOLE(console-id))
- By SMF system ID:By CRITERIA:
- A
user or job can be allowed to use a resource through the use of a
CRITERIA by specifying WHEN(CRITERIA(criteria-name(criteria-value)))
on the PERMIT command. The criteria-name and criteria-value must
match the criteria-name and criteria-value passed to RACF® on the RACROUTE REQUEST=FASTAUTH authorization
check. The resource manager issuing the authorization check is responsible
for the criteria-name and criteria-value.
See the resource manager's documentation for further information.
The class you specify on the PERMIT command must be RACLISTed for
this support to take effect.
Example:
To allow members of group STUDENT to
SELECT from the table
USER01.HOMEWORK_GRADES in the DB2® DSND subsystem when they run
with the DB2 role
TEACHING
ASSISTANT, enter:
PERMIT DSND.USER01.HOMEWORK_GRADES.SELECT CLASS(MDSNTB) ID(STUDENT)
WHEN(CRITERIA(SQLROLE('TEACHING ASSISTANT'))) ACCESS(READ)