To control who can undefine a dynamic exit, the RACF® security administrator can take the following
steps:
- To establish a profile for the exit name for the FACILITY class,
issue RDEFINE:
RDEFINE FACILITY CSVDYNEX.exitname.UNDEFINE UACC(NONE)
where
exitname is
the name of the dynamic exit. For example,
MYEXIT
You
can use generic characters for the qualifiers in the exit name or
routine name. For example,
CSVDYNEX.MYEX*
If
you have RACF 1.9 or higher
installed, you can use the following generic to cover all dynamic
exit names:
CSVDYNEX.**
To ensure
that generic profile checking is in effect for the class FACILITY,
issue the following command:
SETROPTS GENERIC(FACILITY)
For
coverage of exit names, check the names currently specified in the
PROGxx parmlib members. Also use the DISPLAY PROG,EXIT system command.
- To permit the user (in this example user OPER1) to undefine exit
e, issue the following:
PERMIT CSVDYNEX.e.UNDEFINE CLASS(FACILITY) ID(OPER1) ACCESS(UPDATE)
OPER1
must be the name of a RACF-defined user or group profile.
Note: Instead
of specifying individual userids, you can specify the name of a RACF group profile and connect
authorized users to the group. See
Defining RACF profiles.
- If the FACILITY class is not already active, issue the SETROPTS
command as follows:
SETROPTS CLASSACT(FACILITY)
(To
ensure that the FACILITY class is active, you can issue the SETROPTS
LIST command.)
- To refresh the FACILITY resource class, issue SETROPTS RACLIST:
SETROPTS RACLIST(FACILITY) REFRESH
If
any exit or exit routine is not covered by a RACF profile and a user has access to the SETPROG
or SET PROG command, MVS™ accepts
the command. To ensure that only authorized users can perform the
operation, you might define a generic profile for all exit names (CSVDYNEX.**)
with UACC(NONE), then define specific RACF profiles
for each exit or exit routine that the user has authorization to control.