Setting up security for AFP resource libraries

This topic describes the RACF® access that is required for AFP system resource libraries and user resource libraries.

• System resource libraries are libraries specified in the transform configuration file.
• User resource libraries are libraries specified in the (1) Resource libraries field in the printer definition, (2) USERLIB parameter of the OUTPUT JCL statement, or (3) resource-library job attribute.

This RACF access is required:

• The user ID that starts Infoprint Server must have RACF READ access to all system resource libraries and user resource libraries that the transform uses.

  Users who start Infoprint Server must be members of the AOPOPER RACF group, or have a UID of 0. (AOPOPER is the default group name for Infoprint Server operators. However, your installation can assign a different name to this group.) Therefore, you should give the AOPOPER group READ access to the resource libraries. If someone with a user ID of 0 who is not a member of the AOPOPER group can start Infoprint Server (for example, using the aopstart command), you must also give this user READ access to the resource libraries.

• Job submitters must have RACF READ access to all user AFP resource libraries that are specified in the printer definition, JCL statements, or job attributes.

  In addition, job submitters must use a job submission method that authenticates their z/OS® user IDs so that Infoprint Server can use the user ID to check RACF access to the resource libraries. Job submission methods that can authenticate z/OS user IDs include:

  • lp, afpxpcl, afpxpdf, and afpxps commands
  • Windows SMB protocol
  • AOPPRINT and AOPBATCH JCL procedures
  • z/OS JCL that submits a print job to the Infoprint Server subsystem
  • z/OS JCL that submits a print job to IP PrintWay™ extended mode

  Job submitters who use other job submission methods, such as the Infoprint Port Monitor for Windows, can only use user AFP resource libraries that have universal READ access.