z/OS Security Server RACF Security Administrator's Guide
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Protecting LLA-managed data sets

z/OS Security Server RACF Security Administrator's Guide
SA23-2289-00

You can control which users can issue the START LLA and MODIFY LLA commands. When a user issues the START LLA and MODIFY LLA commands, the library lookaside facility (LLA) invokes a RACF® authorization check. This is done for each parameter library data set that LLA needs to access, and for each LLA-managed data set.

To do this, perform the following steps:
  1. If data set profiles for each LLA parameter library data set do not currently exist, create them. These parameter library data sets are those containing CSVLLAxx members that specify which libraries LLA is to manage and how it is to manage them. Make sure each LLA command user (or a group to which the user belongs) has READ access to all parameter library data sets that you protect.
  2. Create profiles in the FACILITY class to protect the LLA-managed data sets. These data sets are the libraries that are specified in the CSVLLAxx and LNKLSTxx members of a parameter library. For example: 
    RDEFINE FACILITY CSVLLA.data-set-name UACC(NONE)

    where data-set-name is the name of the LLA-managed data set.

    Because of the CSVLLA prefix used on the resource names, and because the FACILITY class profiles can only be 39 characters long, the data-set-name portion of this profile is limited to 32 characters. If your data set name is longer than 32 characters, use generics so that the FACILITY class profile stays within the 39-character limit.

    Note:
    1. You should consider creating the same FACILITY profiles as you did data set profiles in Step 1.
    2. To have this protection, you must create profiles in the FACILITY class as well as the DATASET class if you do not have access to the data set already.
    3. The LLA facility first checks the user's access through the FACILITY class profile and, unless this access is allowed, then checks for access through a data set profile.
  3. Give users and groups the appropriate access authority: 
    PERMIT CSVLLA.data-set-name CLASS(FACILITY)
   ID(userid or groupname) ACCESS(access-authority)
    This PERMIT command allows users or groups to issue LLA commands for the specified LLA-managed library. This access authority (access-authority) can be one of the following:
    NONE
    Allows no access.
    UPDATE
    Allows users to work with the data sets using the LLA START and LLA MODIFY commands.
    ALTER
    For discrete profiles, allows same access as UPDATE, plus the ability to change the profile itself. For generic profiles, equivalent to UPDATE.
  4. If you have not already done so, activate the FACILITY class: 
    SETROPTS CLASSACT(FACILITY)

Example:

For example, to control all LLA-managed data sets whose high-level qualifier is CICS®, enter: 
ADDSD   'CICS.*' UACC(NONE)
PERMIT  'CICS.*' ID(CICS) ACCESS(READ)
RDEFINE  FACILITY CSVLLA.CICS.* UACC(NONE)
PERMIT   CSVLLA.CICS.* CLASS(FACILITY) ID(CICS) ACCESS(UPDATE)
SETROPTS CLASSACT(FACILITY)

This command sequence allows CICS to issue the LLA MODIFY command for the LLA-managed data sets whose high-level qualifier is CICS.

Parent topic: Protecting general resources

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014