Steps for authorizing users to the random number generate service (CSFRNG)

• To give a user READ access to the CSFRNG profile, where userid is the UID for the specified user, issue:

  PERMIT CSFRNG CLASS(CSFSERV) ID(userid) ACCESS(READ)

  If you choose to give READ access to individual users, you need to repeat this step for each user who requires access.

• To give READ access for a specific group to the CSFRNG profile where groupid is the GID for the specified group, issue:

  PERMIT CSFRNG CLASS(CSFSERV) ID(groupid) ACCESS(READ)

  Verify that the intended user IDs are added to the group.

• To give READ access for all RACF®-defined users and groups to the CSFRNG profile, issue:

  PERMIT CSFRNG CLASS(CSFSERV) ID(*) ACCESS(READ)

  Giving all users and groups READ access to the CSFRNG profile is an unconditional way to authorize users. The security administrator must take the site's security policy into consideration when deciding whether to give all RACF-defined users and groups access to CSFRNG. z/OS Cryptographic Services ICSF Administrator's Guidehas information about the CSFRNG profile.

• Starting with ICSF version HCR77A1, you can disable checking of this resource:

  RDEFINE XFACILIT CSF.CSFSERV.AUTH.CSFRNG.DISABLE UACC(READ)
  SETROPTS REFRESH RACLIST(XFACILIT)

_______________________________________________________________

_______________________________________________________________

SETROPTS RACLIST(CSFSERV) REFRESH

_______________________________________________________________