Authorizing access to an SMSVSAM server

If you plan to run CICS® with VSAM record-level sharing (RLS), you must authorize each region that connects to an SMSVSAM server to have access to that server.

In a test environment you might want to use the default action and allow any CICS region using VSAM RLS to connect to an SMSVSAM server. If you want to protect this access, the RACF® SUBSYSNM general resource class must be active and you must authorize each CICS region that connects to an SMSVSAM server to have access to that server. This means granting access to the appropriate profile in the RACF SUBSYSNM general resource class. You define profiles in the SUBSYSNM resource class to control access by subsystems like CICS that want to connect to SMSVSAM.

A SUBSYSNM profile name is the name by which a given subsystem, such as CICS, is known to VSAM. For CICS regions, you must use the CICS applid as the profile name in the SUBSYSNM general resource class.

When CICS attempts to register the control ACB during CICS initialization, SMSVSAM calls RACF to check that the CICS region user ID is authorized to a profile name in the SUBSYSNM class that matches the CICS applid. If the CICS region user ID does not have READ authority, the register fails.

For example, if the applid of a CICS AOR is CICSDAA1, and the CICS region user ID (shared by a number of AORs) is CICSDA##, define and authorize the profile:

RDEFINE SUBSYSNM  CICSDAA1  UACC(NONE) NOTIFY(userid)
 
PERMIT  CICSDAA1  CLASS(SUBSYSNM)  ID(CICSDA##)  ACCESS(READ)

You can use wildcard characters on the applid to specify more than one CICS region, for example:

PERMIT  CICSD%%%  CLASS(SUBSYSNM)  ID(CICSDGRP) ACCESS(READ)