The Database Access Control facility

Use the Database Access Control facility to control users' access to databases when running FM/IMS functions. You have the option of controlling users' access to databases when functions run in BMP or DLI mode.

Depending on which profiles you define, access checking may be performed when the function uses a dynamic PSB, when the function uses a static PSB, or when the function uses a dynamic or static PSB.

To activate access checking for functions using a dynamic PSB, do the following:

  1. Define a FACILITY class profile named FILEM.IMS1.DBDYNAM
  2. Give all users whose access you want checked UPDATE or READ access to this resource:
    • UPDATE access, if you want access checking to be performed when functions run in BMP or DLI mode.
    • READ access, if you want access checking to be performed only when functions run in BMP mode.

To activate access checking for functions using a static PSB, do the following:

  1. Define a FACILITY class profile named FILEM.IMS1.DBSTATIC
  2. Give all users whose access you want checked UPDATE or READ access to this resource:
    • UPDATE access, if you want access checking to be performed when functions run in BMP or DLI mode.
    • READ access, if you want access checking to be performed only when functions run in BMP mode.
Once access checking is activated, FM/IMS issues RACROUTE calls to determine whether the user is authorized to access the database specified on the entry panel or in the batch JCL. The RACROUTE call is for the XFACILIT class resource FILEM.IMS1.ssid.DB.dbname, where ssid is the IMS subsystem name and dbname is the name of the database that the user is attempting to access.
  • For access by a read-only function, a user requires a minimum of READ access.
  • For access by an update function, a user requires a minimum of UPDATE access.

Create corresponding profiles to protect this resource.

If you plan to use the Database Access Control facility to control users' access to databases when running functions in DLI mode, there is one additional requirement. You must define the IMS subsystems to be dynamic allocation only. You do so by setting the DYNALLOC parameter to Y when you customize the FM/IMS options module.

For more information on the DYNALLOC parameter, see FM/IMS options.

Logging unauthorized access attempts

The Database Access Control facility supports writing RACF audit records to SMF.

To activate logging for an IMS subsystem, do the following:
  1. Define a FACILITY class profile named FILEM.IMS1.ssid.DBLOG where, ssid is the IMS subsystem name.
  2. Give all users whose access you want logged READ access to this profile.
To activate logging for all IMS subsystems or IMS subsystems whose name match a pattern, replace the ssid in the profile name in step 1 with an asterisk (*) or the name pattern.

RACF® examples

  1. Activating access checking for functions that use a dynamic PSB and run in BMP mode.

    With these commands, checking is activated for all users:

    RDEFINE FACILITY FILEM.IMS1.DBDYNAM AUDIT(NONE) +
            UACC(READ) OWNER(ownerid)
    SETROPTS RACLIST(FACILITY) REFRESH
  2. Activating access checking for functions that use a static PSB and run in BMP or DLI mode.

    With these commands, checking is activated for all users:

    RDEFINE FACILITY FILEM.IMS1.DBSTATIC AUDIT(NONE) +
            UACC(UPDATE) OWNER(ownerid)
    SETROPTS RACLIST(FACILITY) REFRESH
  3. Ensure users do not obtain access to databases through profiles that are less specific than the profile FILEM.IMS1.*.DB.*
    RDEFINE XFACILIT FILEM.IMS1.*.DB.* AUDIT(NONE) +
            UACC(NONE) OWNER(ownerid)
    SETROPTS RACLIST(XFACILIT) REFRESH
  4. Allow user dbadmin to update all databases in subsystem IF52, and allow all other users to read these databases.
    RDEFINE XFACILIT FILEM.IMS1.IF52.DB.* AUDIT(NONE) +
            UACC(READ) OWNER(ownerid)
    PERMIT FILEM.IMS1.IF52.DB.* CLASS(XFACILIT) +
           ID(dbadmin) ACC(UPDATE)
    SETROPTS RACLIST(XFACILIT) REFRESH
  5. Allow user fmuser1 to update database DJ1E in subsystem IF52, and allow all other users to read this database.
    RDEFINE XFACILIT FILEM.IMS1.IF52.DB.DJ1E AUDIT(NONE) +
            UACC(READ) OWNER(ownerid)
    PERMIT FILEM.IMS1.IF52.DB.DJ1E CLASS(XFACILIT) +
           ID(fmuser1) ACCESS(UPDATE)
    SETROPTS RACLIST(XFACILIT) REFRESH
  6. Activating logging for subsystem IF52.

    With these commands, logging is activated for all users:

    RDEFINE FACILITY FILEM.IMS1.IF52.DBLOG AUDIT(NONE) +
            UACC(READ) OWNER(ownerid)
    SETROPTS RACLIST(FACILITY) REFRESH
  7. Activating logging for all subsystems.

    With these commands, logging is activated for all users:

    RDEFINE FACILITY FILEM.IMS1.*.DBLOG AUDIT(NONE) +
            UACC(READ) OWNER(ownerid)
    SETROPTS RACLIST(FACILITY) REFRESH