Setting up security for AFP resource
libraries
This topic describes
the RACF® access that is required
for AFP system
resource libraries and user resource libraries.
- System resource libraries are libraries specified in the transform
configuration file.
- User resource libraries are libraries specified in the (1) Resource libraries field in the printer
definition, (2) USERLIB parameter of the OUTPUT JCL statement, or
(3) resource-library job attribute.
This RACF access is required:
- The user ID that starts Infoprint Server
must have RACF READ access
to all system resource libraries and user resource libraries that
the transform uses.
Users who start Infoprint Server must be members of the AOPOPER RACF group, or have a UID of 0.
(AOPOPER is the default group name for Infoprint Server operators. However, your installation
can assign a different name to this group.) Therefore, you should
give the AOPOPER group READ access to the resource libraries. If someone
with a user ID of 0 who is not a member of the AOPOPER group can start Infoprint Server (for example,
using the aopstart command), you must also give
this user READ access to the resource libraries.
- Job submitters must have RACF READ
access to all user AFP resource
libraries that are specified in the printer definition, JCL statements,
or job attributes.
In addition, job submitters must use a job submission
method that authenticates their z/OS® user
IDs so that Infoprint Server
can use the user ID to check RACF access
to the resource libraries. Job submission methods that can authenticate z/OS user IDs include:
- lp, afpxpcl, afpxpdf, and afpxps commands
- Windows SMB protocol
- AOPPRINT and AOPBATCH JCL procedures
- z/OS JCL that submits a
print job to the Infoprint Server
subsystem
- z/OS JCL that submits a
print job to IP PrintWay™ extended
mode
Job submitters who use other job submission methods, such as
the Infoprint Port Monitor
for Windows, can only use
user AFP resource libraries that
have universal READ access.
Tips:
- To limit access to AFP resources,
your installation should use the AOPSTART JCL procedure (instead of
the aopstart command) to start Infoprint Server. This is
because you can associate one user ID with the AOPSTART JCL procedure,
and this user ID can be the sole member of the AOPOPER group.
- Specify the RACF NOTIFY
parameter in the RACF profiles
for AFP resource libraries so
that you can receive RACF messages
when a user does not have READ access to an AFP resource library. Infoprint Server writes a message (AOP092E) to the
common message log and job submitter (if the job submission method
allows messages to be returned) when the user does not have READ access
to the AFP resource libraries.
However, Infoprint Server
suppresses RACF messages for
failed access checks if you do not request RACF notification in the RACF NOTIFY parameter (on the RDEFINE or RALTER
command).
|