Steps for authorizing daemons to use delegated resources

To avoid authorizing clients to certain resources, define the resources as delegated and authorize the daemon rather than the end users. The following sample procedure authorizes the z/OS® Communications Server FTP daemon to access the ICSF resource in the CSFSERV class.

Before you begin: Consult your application documentation to determine the name of the daemon and the names of the resources to be delegated. Be sure the application is written to exploit delegated resources and nested ACEEs.

Mark the resource as delegated by defining APPLDATA using any one of the following command examples.
- RALTER CSFSERV CSFENC APPLDATA('RACF-DELEGATED')
- If APPLDATA is already defined for this profile (this is unlikely), then enter the existing application data along with the delegated string. For example:
```
RALTER CSFSERV CSFENC APPLDATA('existing-text RACF-DELEGATED')
```
- To define all profiles within a given class as delegated, use the SEARCH command. For example:
```
SEARCH CLASS(CSFSERV) CLIST('RALTER CSFSERV ' ' APPLDATA(''RACF-DELEGATED'')')
EX EXEC.RACF.CLIST
```
Restriction: Only users with the system-SPECIAL attribute are authorized to mark a resource as delegated when SETROPTS SECLABELCONTROL is in effect and the resource has an assigned security label.
Authorize the daemon user ID to access the delegated resource.
```
PERMIT CSFSENC CLASS(CSFSERV) ID(FTPD) ACCESS(READ)
```
Optionally, if you previously authorized end users to access the delegated resource, remove their access authorities. For example:
```
PERMIT CSFSENC CLASS(CSFSERV) ID(FTPUGRP) ACCESS(NONE)
```
Refresh the CSFSERV class to activate your access changes.
```
SETROPTS RACLIST(CSFSERV) REFRESH
```