z/OS Security Server RACF Security Administrator's Guide
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Activating program control (WHEN(PROGRAM) option)

z/OS Security Server RACF Security Administrator's Guide
SA23-2289-00

If you have the SPECIAL attribute, you can activate program control by using the WHEN(PROGRAM) operand of the SETROPTS command. When program control is active, RACF® provides access control to load modules, and program access to data sets and SERVAUTH resources. The following example shows how to specify this option: 
SETROPTS WHEN(PROGRAM)

Access control to load modules allows only authorized users to load and execute specified load modules (programs). RACF uses profiles in the PROGRAM general resource class to control access to programs.

Program access to data sets allows an authorized user or group of users to access specified data sets in conjunction with the user's authority to execute a certain program. That is, some users can access specified data sets at a specified access level only while executing a certain program.

Program access to SERVAUTH class resources allows an authorized user or group of users to access certain IP addresses in conjunction with the user's authority to execute a certain program. That is, some users can access specified IP addresses at a specified access level only while executing a certain program.

If you have the SPECIAL attribute, you can also deactivate program control by using the NOWHEN(PROGRAM) operand on the SETROPTS command.

NOWHEN(PROGRAM) is in effect when a RACF database is first initialized using IRRMIN00.
Note:
  1. If the system is enabled for sysplex communication and a command is successful on the system on which it was issued, RACF propagates the command to the other members of the data sharing group.
  2. If the command fails on any of the peer systems and the system is in data sharing mode, RACF stops processing the command and backs it out of all the member systems, including the system on which it was issued.
  3. If the system is not enabled for sysplex communication, the command does not take effect on the other systems sharing the database until you issue it on those systems or the systems are IPLed.
  4. In non-data sharing mode, the command can fail on a peer system without backing out of the other systems.
For more information, see Protecting programs.
Parent topic: SETROPTS options for special purposes

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014