Setting up the security environment by using RACF or an equivalent security product
- For more information about RACF resource profiles, see z/OS Security Server RACF Command Language Reference.
- The following sections contain examples of setting up facility classes for File Manager using RACF. If you are using an equivalent security product, refer to your products' documentation that describes the definition and usage of facility classes.
- FILEM.DISK.INPUT
- Disk input functions
- FILEM.DISK.UPDATE
- Disk update functions
- FILEM.TAPE.INPUT
- Tape input functions
- FILEM.TAPE.OUTPUT
- Tape output functions
- FILEM.TAPE.DUPLICATE
- Tape copy functions
- FILEM.TAPE.UPDATE
- Tape update functions
- FILEM.VSAM.UPDATE
- VSAM update functions
- FILEM.OAM.OUTPUT
- OAM output functions
- FILEM.OAM.UPDATE
- OAM update functions
- FILEM.LOADMOD.UPDATE
- Load module update functions
- FILEM.OTHER.ALL
- All other functions
- FILEM.TAPE.BLP
- See Controlling Bypass Label Processing (BLP)
- FILEM.DISK.FULLPACK
- See Controlling fullpack access to DASD volumes
For more information about these groups, see Table 3.
Controlling access
- FILEM.CICS.BASE
- Access to File Manager base function
- FILEM.CICS.IMS
- Access to FM/IMS
- FILEM.CICS.DB2
- Access to FM/DB2
If a user ID running FM/CICS has read access to any of these groups, then the associated function (FM, FM/IMS or FM/DB2) will appear on the FM/CICS primary option menu and the user can invoke these functions, if they are installed.
In order to achieve this, File Manager makes RACROUTE calls, with STATUS=ACCESS, to the CICS® SAF FACILITY profiles. When RACF is used, the STATUS=ACCESS request works as documented, and no security-related logging or abends are generated, even if you do not have access to the profile.
However, when non-RACF security products (such as ACF2) are used, S047 ABENDS047 may be issued in response to the above RACROUTE request. These users should consult the relevant product documentation and make changes accordingly.
If you have installed and customized the FM/CICS component, you should review your requirement for this access.
For more information about FM/CICS, see Customizing File Manager CICS Component, and also the File Manager User’s Guide and Reference for CICS.
Protecting update functions
- FILEM.BASE.UPDATE
- Protect update functions in File Manager base
- FILEM.DB2.UPDATE
- Protect update functions in FM/DB2
- FILEM.CICS.UPDATE
- Protect update functions in FM/CICS
(This aspect of security is handled differently for FM/IMS, see Controlling access to IMS subsystems and FM/IMS functions.)
These facility classes also require the option SEC=YES to be specified in FMN0POPT (for File Manager base), FMN2POPT (for FM/DB2), and FMN3POPT (for FM/CICS). For information about the SEC option, see SEC. For more information about the protected functions, see Unprotected functions and profile names for protected functions. For a list of functions that are protected by this method, see Table 1, Customizing to protect update functions in FM/DB2, and Customizing to protect update functions in FM/CICS.
If you do not specify SEC=YES in your options modules, then no checking of these facility classes is done.
Examples of giving or denying access
- To give universal access of NONE to a group of functions (for
example, disk input functions), enter a RACF command
similar to this:
RDEFINE FACILITY FILEM.DISK.INPUT UACC(NONE)
This means that no users can use any functions in the group unless otherwise specified.
- To give all users access to a group of functions (for example,
tape input functions), enter a RACF command
similar to this:
RDEFINE FACILITY FILEM.TAPE.INPUT UACC(READ)
- To give a user (with user ID userid)
access to a group of functions (for example, tape output functions),
enter a RACF command similar
to this:
PERMIT FILEM.TAPE.OUTPUT CLASS(FACILITY) ID(userid) ACCESS(READ)
Similarly, to deny a user access to tape output functions, enter a RACF command similar to this:PERMIT FILEM.TAPE.OUTPUT CLASS(FACILITY) ID(userid) ACCESS(NONE)
The PERMIT statement for FILEM.TAPE.OUTPUT overrides the universal access that you specified for FILEM.TAPE.OUTPUT.
- To give a user access to a specific function (for example, the
VSAM to Tape function), enter a RACF command
similar to this:
PERMIT FILEM.FUNCTION.VT CLASS(FACILITY) ID(userid) ACCESS(READ)
Similarly, to deny a user access to the VT function, enter a RACF command similar to this:PERMIT FILEM.FUNCTION.VT CLASS(FACILITY) ID(userid) ACCESS(NONE)
The PERMIT statement for FILEM.FUNCTION.VT overrides any access that you specified for FILEM.TAPE.OUTPUT.
- To give a user (with user ID userid)
permission to update a load module, enter a RACF command similar to this:
PERMIT FILEM.FUNCTION.LMU CLASS(FACILITY) ID(userid) ACCESS(READ)
The PERMIT statement for FILEM.FUNCTION.LMU overrides any universal access that you specified for FILEM.LOADMOD.UPDATE.
- If the FACILITY class is not already active on your system, enter
the following RACF commands
to activate it:
SETROPTS CLASSACT(FACILITY) SETROPTS GENERIC(FACILITY) SETROPTS GENCMD(FACILITY)