z/OS Security Server RACF Security Administrator's Guide
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Started procedure considerations

z/OS Security Server RACF Security Administrator's Guide
SA23-2289-00

Here are some things to consider when you use started procedures:
  1. Even if your installation uses the STARTED class, you must have a started procedures table (ICHRIN03). RACF® cannot be initialized if ICHRIN03 is not present. A dummy ICHRIN03 is shipped with and installed by RACF. If you use the STARTED class, you should leave your existing ICHRIN03 in place, in case, for example, someone unintentionally deactivates the STARTED class. For more information, see z/OS Security Server RACF System Programmer's Guide.
  2. For installations that have an existing started procedures table (ICHRIN03) and want to use the STARTED class, a sample REXX exec is provided in member ICHSPTCV in SYS1.SAMPLIB to process the output of ICHDSM00 and build RDEFINE commands to duplicate an existing started procedures table.
  3. To make sure that critical system tasks (those marked TRUSTED or PRIVILEGED in ICHRIN03) start successfully, define specific STARTED profiles for them in the STARTED class.
  4. Guideline: Assign the TRUSTED attribute when one of the following conditions applies:
    • The started procedure or address space creates or accesses a wide variety of unpredictably named data sets within your installation.
    • Insufficient authority to an accessed resource might risk an unsuccessful IPL or other system problem.

    For a list of required and optional candidates for the TRUSTED attribute, see "Assigning the RACF TRUSTED attribute" in z/OS MVS Initialization and Tuning Reference.

  5. When the STARTED class is active, RACF uses it before using the started procedures table (ICHRIN03). A generic profile such as ** or *.* with a valid STDATA segment will override all the entries in ICHRIN03.
  6. To make sure that RACF uses the STARTED class, you should verify that all START commands have a matching profile with an STDATA segment that assigns a user ID. To do this:
    1. Define an appropriate generic profile that matches all possible START commands (for example, ** or *.*).
    2. Specify =MEMBER or a user ID of limited privileges.
    3. Specify a group name, if you have specified =MEMBER as the USER value.
    This approach ensures that, for any START command, there is always a matching profile with an STDATA segment that assigns a user ID. In addition, using this approach avoids the following situations, which cause RACF to use ICHRIN03 to process the START command:
    1. There is no matching profile.
    2. There is a matching profile, but it does not have an STDATA segment.
    3. There is a matching profile with an STDATA segment, but no user ID is specified.
    4. There is a matching profile with an STDATA segment, no user ID is specified, but the assigned user ID matches an existing user ID on your system.
  7. When RACROUTE REQUEST=VERIFY or VERIFYX is issued with a started procedure name, RACF checks to see if the STARTED class is active. If it is active, RACF uses the STARTED class to determine the user ID, group name, trusted flag, and privileged flag to use. If the STARTED class is not active, RACF uses the started procedures table (ICHRIN03). RACF also uses the started procedures table, and issues message IRR813I or IRR814I if the STARTED class is active but one of the following occurs:
    1. RACF cannot find a matching profile in the STARTED class.
    2. RACF finds a matching profile but the profile does not assign a user ID.
Parent topic: Using started procedures

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014