z/OS Security Server RACF Security Administrator's Guide
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Origin LU authorization

z/OS Security Server RACF Security Administrator's Guide
SA23-2289-00

You can use the APPL general resource class to protect conversations between partner LUs. This support provides the ability to grant or deny access on the basis of the identity of both the user and the LU from which the user's request originated.

An example of how a security administrator would define origin LU authorization is as follows: 
RDEFINE APPL local-luname UACC(NONE)

This command creates a RACF® profile for the given LU. The specified UACC in this case would allow no user access to the LU named by local-luname without explicitly granted higher access authority.

Next, the security administrator could grant conditional access to a specific RACF-defined user or group whose request originates at a given partner LU with the following: 
PERMIT local-luname CLASS(APPL) ID(userid)
   ACCESS(READ) …
   WHEN(APPCPORT(partner-luname))
Note: There are two possible formats for the resource name in the APPCPORT class. See Partner LU as port of entry (POE) for additional information.

In this example, you could specify ID(*) to make LU local-luname accessible to anyone who is valid on the local system and whose request originates from LU partner-luname. Also, this example presupposes that the relevant classes have already been explicitly activated.

Using the WHEN() option puts an entry on the conditional access list of the RACF profile for local-luname, allowing userid READ access to this LU. This allows userid to use the local LUs services, but only when partner-luname is the port of entry from which the request originated.

Parent topic: RACF and APPC

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014