z/OS MVS Planning: APPC/MVS Management
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Giving Program Access to the APPC/MVS Administration Utility

z/OS MVS Planning: APPC/MVS Management
SA23-1388-00

To ensure that TP profiles and side information files are accessed only through the APPC/MVS administration utility (ATBSDFMU), the system security administrator may use the program access to data sets (PADS) function of RACF® for the data sets specified in the SYSSDLIB DD statement. For a PADS environment, the administrator must define certain programs to the RACF PROGRAM class; those programs vary, depending on the method used to invoke the utility:
  • For a batch job, define the following:
    • ATBSDFMU entry points ATBINMIG, ATBSDEPE, ATBSDFMU, ATBSDFCS, and ATBSDFM1
    • SYS1.LINKLIB members that ATBSDFMU calls to check the syntax of JCL
  • For an application program, define the programs listed for a batch job, and any programs that are loaded before the ATBSDFMU utility is invoked.
  • For a REXX program, define the programs listed for a batch job, the TSO/E Information Center Facility program ICQASLI0, and any programs that are loaded before the ATBSDFMU utility is invoked.
For example, to give administrators in the ADMIN01 group access, use the following commands: 
RDEFINE PROGRAM ATBINMIG ADDMEM('SYS1.MIGLIB'/volser) UACC(NONE)

RDEFINE PROGRAM ATBSDEPE ADDMEM('SYS1.MIGLIB'/volser) UACC(NONE)

RDEFINE PROGRAM ATBSDFMU ADDMEM('SYS1.MIGLIB'/volser) UACC(NONE)

RDEFINE PROGRAM ATBSDFCS ADDMEM('SYS1.MIGLIB'/volser) UACC(NONE)

RDEFINE PROGRAM ATBSDFM1 ADDMEM('SYS1.MIGLIB'/volser) UACC(NONE)

RDEFINE PROGRAM * ADDMEM('SYS1.LINKLIB'/volser/NOPADCHK) UACC(NONE)

PERMIT ATBSDFMU CLASS(PROGRAM) ID(ADMIN01) ACCESS(READ)

ADDSD 'data.set.name' GENERIC UACC(NONE)

PERMIT 'data.set.name' ID(ADMIN01) WHEN(PROGRAM(ATBSDFMU)) ACCESS(UPDATE)

If you encounter messages ATB369I or ICH408I after defining these programs, follow the procedure in z/OS Security Server RACF Diagnosis Guide for obtaining traces for PADS errors. This procedure helps identify additional programs that require definition to the RACF PROGRAM class.

If the APPC/MVS administration dialog is used as the interface to the utility, and PADCHK is specified in any of the members defined in the PROGRAM class profile, then all programs that are loaded under the TCB must be included in the conditional access list for all data sets being opened. Additionally, ICQASLI0 must be in the conditional access list of any data sets being opened. The following command may be used: 
   PERMIT dataset_profile_name ID (ADMIN01) WHEN(PROGRAM(ICQASLIO))
          ACCESS(UPDATE)
Note: Program control must be active on the system for this access control to take effect. For more information about controlling program access to data sets, see z/OS Security Server RACF Security Administrator's Guide.
Parent topic: Controlling User Access to TP Profiles and Side Information on MVS

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014