You can use resources in the VTAMAPPL
class to control which users can open the application control block
(ACB) indicated by a VTAM® application
program when the user is not running an APF-authorized program or
command processor. (APF-authorized applications, such as APPC and
TSO/E, do not need authorization in the VTAMAPPL class to open an
ACB.)
To do this, perform the following steps:
- Ask your VTAM system programmer
for the following information:
- The names of the VTAM application
programs whose use is to be controlled
- The names of RACF-defined users and groups who are to have access
to those programs.
- Create profiles in the VTAMAPPL class:
RDEFINE VTAMAPPL acb-name UACC(NONE)
where acb-name is
the ACBNAME value on the APPL statement that applies to this ACB.
(An ACB name is also called an LU name or a VTAM application name.)
If the ACBNAME
is not specified on the APPL statement, use the name of the APPL definition
statement (the ACBNAME default value). For details about ACBNAME,
see z/OS Communications Server: SNA Resource Definition Reference.
- Give users and groups the appropriate access authority:
PERMIT acb-name CLASS(VTAMAPPL) ID(userid or group)
ACCESS(access-authority)
where
access-authority is
one of the following:
- NONE
- Prevents users from opening the ACB
- READ
- Allows users to open the ACB
- UPDATE
- Is the same as READ
- CONTROL
- Is the same as READ
- ALTER
- Allows READ access, and also allows users to change the profile
(if it is a discrete profile).
- When you are ready to start using the protection defined
in the profiles, activate both the VTAMAPPL class and SETROPTS RACLIST
processing for the class. You can do these two actions in one command:
SETROPTS CLASSACT(VTAMAPPL) RACLIST(VTAMAPPL)
Note: Any
time you make a change to a VTAMAPPL profile, you must also refresh
SETROPTS RACLIST processing for the VTAMAPPL class for the change
to take effect.
z/OS Security Server RACF Security Administrator's Guide
Copyright IBM Corporation 1990, 2014