Setting up the security environment by using RACF or an equivalent security product

You perform the following steps to define profiles for RACF® or your equivalent security product. These steps assume that your security administrator has already controlled access to DASD volumes (DASDVOL) and facilities (FACILITY).

The following sections contain examples of setting up facility classes for Z Data Tools using RACF. For more information about RACF resource profiles, see z/OS Security Server RACF Command Language Reference.

Note: If you are using an equivalent security product, refer to that product's documentation for information on how to define and use facility classes.
You can give or deny some, or all, users access to any of the following groups of Z Data Tools functions:
FILEM.DISK.INPUT
Disk input functions
FILEM.DISK.UPDATE
Disk update functions
FILEM.TAPE.INPUT
Tape input functions
FILEM.TAPE.OUTPUT
Tape output functions
FILEM.TAPE.DUPLICATE
Tape copy functions
FILEM.TAPE.UPDATE
Tape update functions
FILEM.VSAM.UPDATE
VSAM update functions
FILEM.OAM.OUTPUT
OAM output functions
FILEM.OAM.UPDATE
OAM update functions
FILEM.LOADMOD.UPDATE
Load module update functions
FILEM.OTHER.ALL
All other functions
FILEM.TAPE.BLP
See Controlling Bypass Label Processing (BLP)
FILEM.DISK.FULLPACK
See Controlling fullpack access to DASD volumes

For more information about these groups, see Table 3.

Controlling access

Three facility groups are provided to allow you to control access to Z Data Tools base function, and to ZDT/IMS and ZDT/Db2, from the ZDT/CICS primary option menu. These groups are:
FILEM.CICS.BASE
Access to Z Data Tools base function
FILEM.CICS.IMS
Access to ZDT/IMS
FILEM.CICS.DB2
Access to ZDT/Db2

If a user ID running ZDT/CICS has read access to any of these groups, then the associated function (HFM, ZDT/IMS or ZDT/Db2) will appear on the ZDT/CICS primary option menu and the user can invoke these functions, if they are installed.

To achieve this Z Data Tools makes RACROUTE calls, with STATUS=ACCESS, to the CICS® SAF FACILITY profiles. When RACF is used, the STATUS=ACCESS request works as documented, and no security-related logging or abends are generated, even if you do not have access to the profile.

However, when other security products such as ACF2 are used, an S047 abend may be issued in response to the above RACROUTE request. In this case you should consult the documentation for your security product and make changes accordingly.

If you have installed and customized the ZDT/CICS component, you should review your requirement for this access.

For more information about ZDT/CICS, see Customizing Z Data Tools CICS Component, and also the Z Data Tools User’s Guide and Reference for CICS.

Protecting update functions

Three facility groups are also provided to enable you to protect update functions in Z Data Tools base function, ZDT/Db2, and ZDT/CICS. They are:
FILEM.BASE.UPDATE
Protect update functions in Z Data Tools base
FILEM.DB2.UPDATE
Protect update functions in ZDT/Db2
FILEM.CICS.UPDATE
Protect update functions in ZDT/CICS

This aspect of security is handled differently for ZDT/IMS. See Controlling access to IMS subsystems and ZDT/IMS functions.

These facility classes also require the option SEC=YES to be specified in HFM0POPT (for Z Data Tools base), HFM2POPT (for ZDT/Db2), and HFM3POPT (for ZDT/CICS). For information about the SEC option, see SEC. For more information about the protected functions, see Unprotected functions and profile names for protected functions. For a list of functions that are protected by this method, see Table 1, Customizing to protect update functions in ZDT/Db2, and Customizing to protect update functions in ZDT/CICS.

If you do not specify SEC=YES in your options modules, then no checking of these facility classes is done.

Examples of giving or denying access

You can also give or deny some, or all, users access to an individual Z Data Tools function. The following examples illustrate this.
  • To give universal access of NONE to a group of functions (for example, disk input functions), enter a RACF command similar to this:
    RDEFINE FACILITY FILEM.DISK.INPUT     UACC(NONE)

    This means that no users can use any functions in the group unless otherwise specified.

  • To give all users access to a group of functions (for example, tape input functions), enter a RACF command similar to this:
    RDEFINE FACILITY FILEM.TAPE.INPUT     UACC(READ)
  • To give a user (with user ID userid) access to a group of functions (for example, tape output functions), enter a RACF command similar to this:
    PERMIT FILEM.TAPE.OUTPUT    CLASS(FACILITY) ID(userid) ACCESS(READ)
    Similarly, to deny a user access to tape output functions, enter a RACF command similar to this:
    PERMIT FILEM.TAPE.OUTPUT    CLASS(FACILITY) ID(userid) ACCESS(NONE)

    The PERMIT statement for FILEM.TAPE.OUTPUT overrides the universal access that you specified for FILEM.TAPE.OUTPUT.

  • To give a user access to a specific function (for example, the VSAM to Tape function), enter a RACF command similar to this:
    PERMIT FILEM.FUNCTION.VT    CLASS(FACILITY) ID(userid) ACCESS(READ)
    Similarly, to deny a user access to the VT function, enter a RACF command similar to this:
    PERMIT FILEM.FUNCTION.VT    CLASS(FACILITY) ID(userid) ACCESS(NONE)

    The PERMIT statement for FILEM.FUNCTION.VT overrides any access that you specified for FILEM.TAPE.OUTPUT.

  • To give a user (with user ID userid) permission to update a load module, enter a RACF command similar to this:
    PERMIT FILEM.FUNCTION.LMU   CLASS(FACILITY) ID(userid) ACCESS(READ)

    The PERMIT statement for FILEM.FUNCTION.LMU overrides any universal access that you specified for FILEM.LOADMOD.UPDATE.

  • If the FACILITY class is not already active on your system, enter the following RACF commands to activate it:
    SETROPTS CLASSACT(FACILITY)
    SETROPTS GENERIC(FACILITY)
    SETROPTS GENCMD(FACILITY)