Controlling access to IMS subsystems and ZDT/IMS functions

ZDT/IMS allows you to control which IMS™ subsystems a user can access when using each of the functions listed in Table 1. These functions are protected by default when you receive ZDT/IMS.

Table 1. Protected ZDT/IMS Functions
Function code Description UPDATE or READONLY
DBI Initialize dialog - generates JCL for the initialize function UPDATE
DDD Delete or define dialog - generates JCL to delete or define database data sets UPDATE
DIB Initialize - initialize databases (batch) UPDATE
IB Browse - browse a database READONLY
IBBO Batch browse dialog - generate JCL for the batch browse function READONLY
IBB Batch browse - read a database in batch (batch) READONLY
IE Edit - edit a database UPDATE
IEBO Batch edit dialog - generates JCL for the batch edit function UPDATE
IEB Batch edit - edit a database in batch (batch) UPDATE
IPRO Print dialog - generates JCL for the print function READONLY
IPR Print - print data from databases (batch) READONLY
IX Extract dialog - generates JCL for the extract function READONLY
IXB Extract - extract data from databases (batch) READONLY
IL Load dialog - generates JCL for the load function UPDATE
ILB Load - load data into databases (batch) UPDATE

You can grant or deny some or all users access to:

  1. Individual IMS subsystems by individual functions in Table 1.
  2. Individual functions in Table 1. When you grant or deny users access to individual functions, they are granted or denied access to all IMS subsystems when using these functions.
  3. Individual IMS subsystems by the update or read-only functions.
  4. The update or read-only functions. When you grant or deny users access to the update or read-only functions, they are granted or denied access to all IMS subsystems when using the update or read-only functions.

ZDT/IMS provides security for these functions, in one of two ways, either through RACF® (or an equivalent security product) or through the HFMSECUR exit.

If Security Server RACF or an equivalent security product is active, the System Authorization Facility (SAF) with the Z Data Tools enhanced security facility is used for access control and authorization verification. Authorization is controlled by ZDT/IMS-specific profiles in the FACILITY class. This chapter describes the ZDT/IMS-specific profiles that you must define to RACF or your equivalent security product. It also describes how you define these profiles to RACF. If you use another security product, consult the documentation for your product to determine how to define these profiles to your product.

If SAF with RACF (or an equivalent security product) is not active when a ZDT/IMS function is started, the function access control checks are passed to the HFMSECUR user exit instead of to SAF.

To use HFMSECUR, it must be installed in the LPA. If the HFMSECUR module is required and it cannot be found in the LPA, an error message is issued and the ZDT/IMS function will not start.

HFMSECUR is a customizable exit. It provides HFMS macros which allow you to define a table of user names or job names, Z Data Tools-protectable resources (called profiles), and access levels. For information on HFMSECUR, see "Setting up the security environment by using HFMSECUR".

Note:
  1. The HFMSECUR module is not used (even if present) if SAF with RACF or an equivalent security product is active when a ZDT/IMS function is started.
  2. ZDT/IMS functions that are not listed in Table 1 cannot be protected by RACF (or an equivalent security product) or by the HFMSECUR exit.

The rest of this section describes how you implement security controls in RACF (or an equivalent security product) for the functions in Table 1.