IMS™ subsystems and FM/IMS functions access control facility
FM/IMS allows you to control which IMS™ subsystems a user can access when using each of the functions listed in Protected FM/IMS Functions. These functions are protected by default when you receive FM/IMS.
| Function code | Description | UPDATE or READONLY |
|---|---|---|
| DBI | Initialize dialog - generates JCL for the initialize function | UPDATE |
| DDD | Delete or define dialog - generates JCL to delete or define database data sets | UPDATE |
| DIB | Initialize - initialize databases (batch) | UPDATE |
| IB | Browse - browse a database | READONLY |
| IBBO | Batch browse dialog - generate JCL for the batch browse function | READONLY |
| IBB | Batch browse - read a database in batch (batch) | READONLY |
| IE | Edit - edit a database | UPDATE |
| IEBO | Batch edit dialog - generates JCL for the batch edit function | UPDATE |
| IEB | Batch edit - edit a database in batch (batch) | UPDATE |
| IPRO | Print dialog - generates JCL for the print function | READONLY |
| IPR | Print - print data from databases (batch) | READONLY |
| IX | Extract dialog - generates JCL for the extract function | READONLY |
| IXB | Extract - extract data from databases (batch) | READONLY |
| IL | Load dialog - generates JCL for the load function | UPDATE |
| ILB | Load - load data into databases (batch) | UPDATE |
You can grant or deny some or all users access to:
- Individual IMS™ subsystems by individual functions in Protected FM/IMS Functions.
- Individual functions in Protected FM/IMS Functions. When you grant or deny users access to individual functions, they are granted or denied access to all IMS™ subsystems when using these functions.
- Individual IMS™ subsystems by the update or read-only functions.
- The update or read-only functions. When you grant or deny users access to the update or read-only functions, they are granted or denied access to all IMS™ subsystems when using the update or read-only functions.
FM/IMS provides security for these functions, in one of two ways, either through RACF® (or an equivalent security product) or through the FMNSECUR exit.
If Security Server RACF® or an equivalent security product is active, the System Authorization Facility (SAF) with the File Manager enhanced security facility is used for access control and authorization verification. Authorization is controlled by FM/IMS-specific profiles in the FACILITY class. This chapter describes the FM/IMS-specific profiles that you must define to RACF® or your equivalent security product. It also describes how you define these profiles to RACF®. If you use another security product, consult the documentation for your product to determine how to define these profiles to your product.
If SAF with RACF® (or an equivalent security product) is not active when a File Manager/IMS function is started, the function access control checks are passed to the FMNSECUR user exit instead of to SAF.
To use FMNSECUR, it must be installed in the LPA. If the FMNSECUR module is required and it cannot be found in the LPA, an error message is issued and the FM/IMS function will not start.
FMNSECUR is a customizable exit. It provides FMNS macros which allow you to define a table of user names or job names, File Manager-protectable resources (called profiles), and access levels. For information on FMNSECUR, see "Setting up the security environment by using FMNSECUR".
- The FMNSECUR module is not used (even if present) if SAF with RACF® or an equivalent security product is active when a File Manager/IMS function is started.
- FM/IMS functions that are not listed in Protected FM/IMS Functions cannot be protected by RACF® (or an equivalent security product) or by the FMNSECUR exit.
The rest of this section describes how you implement security controls in RACF® (or an equivalent security product) for the functions in Protected FM/IMS Functions.