|
Here are some things to consider when you use started procedures: - Even if your installation uses the STARTED class, you must have
a started procedures table (ICHRIN03). RACF® cannot
be initialized if ICHRIN03 is not present. A dummy ICHRIN03 is shipped
with and installed by RACF.
If you use the STARTED class, you should leave your existing ICHRIN03
in place, in case, for example, someone unintentionally deactivates
the STARTED class. For more information, see z/OS Security Server RACF System Programmer's Guide.
- For installations that have an existing started procedures table
(ICHRIN03) and want to use the STARTED class, a sample REXX exec is provided
in member ICHSPTCV in SYS1.SAMPLIB to process the output of ICHDSM00
and build RDEFINE commands to duplicate an existing started procedures
table.
- To make sure that critical system tasks (those marked TRUSTED
or PRIVILEGED in ICHRIN03) start successfully, define specific STARTED
profiles for them in the STARTED class.
- Guideline: Assign the TRUSTED attribute when one of the
following conditions applies:
- The started procedure or address space creates or accesses a wide
variety of unpredictably named data sets within your installation.
- Insufficient authority to an accessed resource might risk an unsuccessful
IPL or other system problem.
For a list of required and optional candidates for the TRUSTED
attribute, see "Assigning the RACF TRUSTED
attribute" in z/OS MVS Initialization and Tuning Reference.
- When the STARTED class is active, RACF uses
it before using the started procedures table (ICHRIN03). A generic
profile such as ** or *.* with a
valid STDATA segment will override all the entries in ICHRIN03.
- To make sure that RACF uses
the STARTED class, you should verify that all START commands have
a matching profile with an STDATA segment that assigns a user ID.
To do this:
- Define an appropriate generic profile that matches all possible
START commands (for example, ** or *.*).
- Specify =MEMBER or a user ID of limited privileges.
- Specify a group name, if you have specified =MEMBER as
the USER value.
This approach ensures that, for any START command, there is
always a matching profile with an STDATA segment that assigns a user
ID. In addition, using this approach avoids the following situations,
which cause RACF to use ICHRIN03
to process the START command: - There is no matching profile.
- There is a matching profile, but it does not have an STDATA segment.
- There is a matching profile with an STDATA segment, but no user
ID is specified.
- There is a matching profile with an STDATA segment, no user ID
is specified, but the assigned user ID matches an existing user ID
on your system.
- When RACROUTE REQUEST=VERIFY or VERIFYX is issued with a started
procedure name, RACF checks
to see if the STARTED class is active. If it is active, RACF uses the STARTED class to determine the
user ID, group name, trusted flag, and privileged flag to use. If
the STARTED class is not active, RACF uses
the started procedures table (ICHRIN03). RACF also uses the started procedures table,
and issues message IRR813I or IRR814I if the STARTED class is active
but one of the following occurs:
- RACF cannot find a matching
profile in the STARTED class.
- RACF finds a matching profile
but the profile does not assign a user ID.
|