The Database Access Control facility

Use the Database Access Control facility to control users' access to databases when running functions in BMP mode.

Depending on which profiles you define, access checking may be performed when the function uses a dynamic PSB, when the function uses a static PSB, or when the function uses both a dynamic PSB and a static PSB.

To activate access checking for functions using a dynamic PSB, do the following:

  1. Define a FACILITY class profile named FILEM.IMS1.DBDYNAM
  2. Give all users whose access you want checked READ access to this resource.

To activate access checking for functions using a static PSB, do the following:

  1. Define a FACILITY class profile named FILEM.IMS1.DBSTATIC
  2. Give all users whose access you want checked READ access to this resource.
Once access checking is activated, FM/IMS issues RACROUTE calls to determine whether the user is authorized to access the database specified on the entry panel or in the batch JCL. The RACROUTE call is for the XFACILIT class resource FILEM.IMS1.ssid.DB.dbname, where ssid is the IMS subsystem name and dbname is the name of the database that the user is attempting to access.
  • For access by a read-only function, a user requires a minimum of READ access.
  • For access by an update function, a user requires a minimum of UPDATE access.

Create corresponding profiles to protect this resource.

RACF® examples

  1. Activating access checking for functions using a dynamic PSB.

    With these commands, checking is activated for all users:

    RDEFINE FACILITY FILEM.IMS1.DBDYNAM AUDIT(NONE) +
        UACC(READ) OWNER(ownerid)
SETROPTS RACLIST(FACILITY) REFRESH
  2. Activating access checking for functions using a static PSB.

    With these commands, checking is activated for all users:

    RDEFINE FACILITY FILEM.IMS1.DBSTATIC AUDIT(NONE) +
        UACC(READ) OWNER(ownerid)
SETROPTS RACLIST(FACILITY) REFRESH
  3. Ensure users do not obtain access to databases through profiles that are less specific than the profile FILEM.IMS1.*.DB.*
    RDEFINE XFACILIT FILEM.IMS1.*.DB.* AUDIT(NONE) +
        UACC(NONE) OWNER(ownerid)
SETROPTS RACLIST(XFACILIT) REFRESH
  4. Allow user dbadmin to update all databases in subsystem IF52, and allow all other users to read these databases.
    RDEFINE XFACILIT FILEM.IMS1.IF52.DB.* AUDIT(NONE) +
        UACC(READ) OWNER(ownerid)
PERMIT FILEM.IMS1.IF52.DB.* CLASS(XFACILIT) +
       ID(dbadmin) ACC(UPDATE)
SETROPTS RACLIST(XFACILIT) REFRESH
  5. Allow user fmuser1 to update database DJ1E in subsystem IF52, and allow all other users to read this database.
    RDEFINE XFACILIT FILEM.IMS1.IF52.DB.DJ1E AUDIT(NONE) +
        UACC(READ) OWNER(ownerid)
PERMIT FILEM.IMS1.IF52.DB.DJ1E CLASS(XFACILIT) +
       ID(fmuser1) ACCESS(UPDATE)
SETROPTS RACLIST(XFACILIT) REFRESH