Define a SAF profile for the log stream subsystem exits

Description

As of APAR OA51174, a log stream subsystem exit routine name is used only when it is one of the IBM-defined names, or the exit name is allowed through a SAF profile. Otherwise, z/OS does not invoke the exit routine name. Instead, z/OS issues message IXG507I and returns a failure indication to the log stream subsystem function (either converter or allocation).

Currently, log stream users can specify a log stream subsystem exit routine name to receive control for reading log data. Users can use either of the following methods to specify the exit routine names:
  • On the JCL DDNAME statement, on the keyword SUBSYS=(LOGR,exit_routine_name,...)
  • On a dynamic allocation request that includes a text unit value for key DALSSPRM (exit routine name)

With APAR OA51174, this behavior is changed. To continue to specify an exit routine name as described here, your installation must protect the resource IXGLOGR.SUBSYS.LSEXIT.exit_routine_name, where exit_routine_name identifies the name of the log stream subsystem exit routine.

If your installation uses RACF as its security management product, your security administrator can protect the resource by defining a profile in the FACILITY class. If your installation uses a security management product other than RACF, your security administrator can refer to this topic for reference when creating an equivalent protection in the security management product on your system.

The exception to this requirement is if your installation uses the following IBM-defined names for the exit routines. If so, you have no migration action to perform.
  • IXGSEXIT
  • IFASEXIT
  • IFBSEXIT
  • DFHLGCNV
This table provides more details about the migration action. Use this information to plan your changes to the system.
Element or feature: BCP
When change was introduced: z/OS V2R2, z/OS V2R1, and z/OS V1R13, all with PTFs for APAR OA51174 applied.
Applies to migration from: z/OS V2R2, z/OS V2R1, and z/OS V1R13, all without PTFs for APAR OA51174 applied.
Timing: Before the first IPL of z/OS V2R2.
Is the migration action required? Yes, if both of the following conditions are true:
  • Your installation has a log stream subsystem exit routine that is specified through the SUBSYS=(LOGR,...) keyword on a DDNAME JCL statement or on a dynamic allocation request that includes a text unit value for key DALSSPRM
  • Exit routine name is not one of the following IBM-defined names: IXGSEXIT, IFASEXIT, IFBSEXIT, or DFHLGCNV.
Target system hardware requirements: None.
Target system software requirements: None.
Other system (coexistence or fallback) requirements: None.
Restrictions: None.
System impacts: Jobs or dynamic allocation requests that specify a log stream exit routine name might fail with an authorization error.
Related IBM® Health Checker for z/OS® check: None.

Steps to take

If your installation does not use any log stream subsystem exit routines, or if your installation uses only the IBM-defined names for the log stream subsystem exit routine names, you have no migration action to perform.

Otherwise, if your installation uses or plans to use log stream subsystem exit routine names other than the IBM-defined names, you must perform the following steps:
  • Define a discrete profile IXGLOGR.SUBSYS.LSEXIT.exit_routine_name for the FACILITY class, where exit_routine_name is the name of the log stream subsystem exit routine. Your security administrator can use this profile to audit access failures and grant users READ access. For example: 
     RDEFINE FACILITY  IXGLOGR.SUBSYS.LSEXIT.exit_routine_name UACC(READ) AUDIT(FAILURES(READ))
  • If you need to allow for exit routine names that might not be explicitly known on your system, consider also defining the generic profile IXGLOGR.SUBSYS.LSEXIT.* in the FACILITY class. Include the WARNING attribute in the profile definition (to issue a warning message, but allow access). This profile protects resources that are associated with the log stream subsystem exit routines. For example: 
    RDEFINE FACILITY IXGLOGR.SUBSYS.LSEXIT.* UACC(NONE) WARNING

    When this generic profile is used to cover the authorization check for the resource IXGLOGR.SUBSYS.LSEXIT.exit_routine_name, if the check fails, RACF issues the appropriate warning message to the user, logs the access attempt, and allows the user to access the resource.

    Using a generic profile is recommended only as a temporary means for gathering information on the possible exit routine names on your system that require protection. When the exit routine names are identified, you can define the appropriate discrete profiles. After you protect the known exit routine names with discrete profiles, delete the generic profile.

    Note: If you do not define profiles as described here, but instead, define a generic profile that protects the resource IXGLOGR.SUBSYS.LSEXIT.exit_routine_name, the generic profile attributes are used to determine the following behaviors:
    • Outcome of the authorization checking
    • Logging
    • Whether the exit routine is invoked.

Reference information

For information about defining RACF profiles in the FACILITY class, see z/OS Security Server RACF Security Administrator's Guide.

Parent topic: BCP actions to perform before the first IPL of z/OS V2R2