IBM Support

RMDS - Retention Management Distribution System on z/OS - RACF Considerations

Question & Answer


Question

In RMDS, is there any way to restrict viewing of reports?

Cause

Need explanation of how to limit viewing of reports

Answer

There are two distinct RACROUTES that can be issued by the VTAM viewer.

The first is during the allocation of the report data set and is issued using the started tasks UserID. This RACROUTE is controlled by MVS, outside of any RMDS options or exits.

The second RACROUTE is used to determine access authorization based on the UserID of the currently logged-in user. This second RACROUTE can be influenced by RMDS options and/or user exits.

This means that the UserID of the started task must have read access to all RMDS data sets that you wish to be able access with the RMDS viewer.

The second level of access can be controlled via the user exit DBNUXSEC, or by using an RMDS discrete or model profile. Implementing the user exit DBNUXSEC can allow you to filter the access to a data set based on any criteria that you may care to use. The model profile allows you to tailor user access to a specific report or to a group of reports.

Information on the user exits can be found in:
.
. RMDS - Customization, Tuning, and Diagnosis
. Version 2 Release 3
. Document Number S544-5398-00
. Chapter: 6. Installing User Exits
. Section: 6.4.17 DBNUXSEC--Security

The information on RMDS and RACF can be found in:

. RMDS - Administration Guide
. Version 2 Release 3
. Document Number S544-5395-00
. Chapter 16. Administering Report Security
. Information on model profiles can be found in:
. Section: 16.3.3 Using Discrete (Model) Profiles

A frequent follow on question is, "Is it possible to use variable substitution in the RMDS form
RACF_PROFILE ?

The answer is not easily.

A sharp HLASM programmer could in an exit but most shops do not want to go to that trouble.

However, from the RMDS - Administration Guide

As described in Chapter 16, RMDS also uses discrete and generic
profiles for use with RACF. These FORMS can easily be located with
the use of SPUFI and the following SQL:
.
. Select FORM_NAME, REPTNAME, RACF_PROFILE
. From <database_owner>.FORMS
. Where Not RACF_PROFILE = ''

SQL code can be used after the form is archived to update the FORMS.

[{"Product":{"code":"SSXU4E","label":"Report Management and Distribution System"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Not Applicable","Platform":[{"code":"PF035","label":"z\/OS"}],"Version":"2.3","Edition":"All Editions","Line of Business":{"code":"LOB15","label":"Integration"}}]

Document Information

Modified date:
18 June 2019

UID

swg21634302

Page Feedback