Define a SAF profile for the log stream subsystem exits
Description
As of APAR OA51174, a log stream subsystem exit routine name is used only when it is one of the IBM-defined names, or the exit name is allowed through a SAF profile. Otherwise, z/OS does not invoke the exit routine name. Instead, z/OS issues message IXG507I and returns a failure indication to the log stream subsystem function (either converter or allocation).
- On the JCL DDNAME statement, on the keyword SUBSYS=(LOGR,exit_routine_name,...)
- On a dynamic allocation request that includes a text unit value for key DALSSPRM (exit routine name)
With APAR OA51174, this behavior is changed. To continue to specify an exit routine name as described here, your installation must protect the resource IXGLOGR.SUBSYS.LSEXIT.exit_routine_name, where exit_routine_name identifies the name of the log stream subsystem exit routine.
If your installation uses RACF as its security management product, your security administrator can protect the resource by defining a profile in the FACILITY class. If your installation uses a security management product other than RACF, your security administrator can refer to this topic for reference when creating an equivalent protection in the security management product on your system.
- IXGSEXIT
- IFASEXIT
- IFBSEXIT
- DFHLGCNV
Element or feature: | BCP |
---|---|
When change was introduced: | z/OS V2R2, z/OS V2R1, and z/OS V1R13, all with PTFs for APAR OA51174 applied. |
Applies to migration from: | z/OS V2R2, z/OS V2R1, and z/OS V1R13, all without PTFs for APAR OA51174 applied. |
Timing: | Before the first IPL of z/OS V2R2. |
Is the migration action required? | Yes, if both of the following conditions are true:
|
Target system hardware requirements: | None. |
Target system software requirements: | None. |
Other system (coexistence or fallback) requirements: | None. |
Restrictions: | None. |
System impacts: | Jobs or dynamic allocation requests that specify a log stream exit routine name might fail with an authorization error. |
Related IBM® Health Checker for z/OS® check: | None. |
Steps to take
If your installation does not use any log stream subsystem exit routines, or if your installation uses only the IBM-defined names for the log stream subsystem exit routine names, you have no migration action to perform.
- Define a discrete profile IXGLOGR.SUBSYS.LSEXIT.exit_routine_name for the
FACILITY class, where exit_routine_name is the name of the log stream subsystem
exit routine. Your security administrator can use this profile to audit access failures and grant
users READ access. For example:
RDEFINE FACILITY IXGLOGR.SUBSYS.LSEXIT.exit_routine_name UACC(READ) AUDIT(FAILURES(READ))
- If you need to allow for exit routine names that might not be explicitly known on your system,
consider also defining the generic profile IXGLOGR.SUBSYS.LSEXIT.* in the FACILITY
class. Include the WARNING attribute in the profile definition (to issue a warning message, but
allow access). This profile protects resources that are associated with the log stream subsystem
exit routines. For example:
RDEFINE FACILITY IXGLOGR.SUBSYS.LSEXIT.* UACC(NONE) WARNING
When this generic profile is used to cover the authorization check for the resource IXGLOGR.SUBSYS.LSEXIT.exit_routine_name, if the check fails, RACF issues the appropriate warning message to the user, logs the access attempt, and allows the user to access the resource.
Using a generic profile is recommended only as a temporary means for gathering information on the possible exit routine names on your system that require protection. When the exit routine names are identified, you can define the appropriate discrete profiles. After you protect the known exit routine names with discrete profiles, delete the generic profile.
Note: If you do not define profiles as described here, but instead, define a generic profile that protects the resource IXGLOGR.SUBSYS.LSEXIT.exit_routine_name, the generic profile attributes are used to determine the following behaviors:- Outcome of the authorization checking
- Logging
- Whether the exit routine is invoked.
Reference information
For information about defining RACF profiles in the FACILITY class, see z/OS Security Server RACF Security Administrator's Guide.