Setting up the security environment by using RACF® or an equivalent security product
You perform the following steps to define profiles for RACF® or your equivalent security product. These steps assume that your security administrator has already controlled access to DASD volumes (DASDVOL) and facilities (FACILITY).
The following sections contain examples of setting up facility classes for File Manager using RACF®. For more information about RACF® resource profiles, see z/OS Security Server RACF Command Language Reference.
- FILEM.DISK.INPUT
- Disk input functions
- FILEM.DISK.UPDATE
- Disk update functions
- FILEM.TAPE.INPUT
- Tape input functions
- FILEM.TAPE.OUTPUT
- Tape output functions
- FILEM.TAPE.DUPLICATE
- Tape copy functions
- FILEM.TAPE.UPDATE
- Tape update functions
- FILEM.VSAM.UPDATE
- VSAM update functions
- FILEM.OAM.OUTPUT
- OAM output functions
- FILEM.OAM.UPDATE
- OAM update functions
- FILEM.LOADMOD.UPDATE
- Load module update functions
- FILEM.OTHER.ALL
- All other functions
- FILEM.TAPE.BLP
- See Controlling Bypass Label Processing (BLP)
- FILEM.DISK.FULLPACK
- See Controlling fullpack access to DASD volumes
For more information about these groups, see File Manager function to profile name cross-reference.
Controlling access
- FILEM.CICS.BASE
- Access to File Manager base function
- FILEM.CICS.IMS
- Access to FM/IMS
- FILEM.CICS.DB2
- Access to FM/Db2
If a user ID running FM/CICS has read access to any of these groups, then the associated function (FM, FM/IMS or FM/Db2) will appear on the FM/CICS primary option menu and the user can invoke these functions, if they are installed.
To achieve this File Manager makes RACROUTE calls, with STATUS=ACCESS, to the CICS® SAF FACILITY profiles. When RACF® is used, the STATUS=ACCESS request works as documented, and no security-related logging or abends are generated, even if you do not have access to the profile.
However, when other security products such as ACF2 are used, an S047 abend may be issued in response to the above RACROUTE request. In this case you should consult the documentation for your security product and make changes accordingly.
If you have installed and customized the FM/CICS component, you should review your requirement for this access.
For more information about FM/CICS, see Customizing File Manager CICS Component, and also the File Manager User’s Guide and Reference for CICS.
Protecting update functions
- FILEM.BASE.UPDATE
- Protect update functions in File Manager base
- FILEM.DB2.UPDATE
- Protect update functions in FM/Db2
- FILEM.CICS.UPDATE
- Protect update functions in FM/CICS
This aspect of security is handled differently for FM/IMS. See IMS subsystems and FM/IMS functions access control facility.
These facility classes also require the option SEC=YES to be specified in FMN0POPT (for File Manager base), FMN2POPT (for FM/Db2), and FMN3POPT (for FM/CICS). For information about the SEC option, see SEC. For more information about the protected functions, see Unprotected functions and profile names for protected functions. For a list of functions that are protected by this method, see File Manager unprotected functions, Customizing to protect update functions in FM/Db2, and Customizing to protect update functions in FM/CICS.
If you do not specify SEC=YES in your options modules, then no checking of these facility classes is done.
Examples of giving or denying access
- To give universal access of NONE to a group of functions (for
example, disk input functions), enter a RACF® command
similar to this:
RDEFINE FACILITY FILEM.DISK.INPUT UACC(NONE)
This means that no users can use any functions in the group unless otherwise specified.
- To give all users access to a group of functions (for example,
tape input functions), enter a RACF® command
similar to this:
RDEFINE FACILITY FILEM.TAPE.INPUT UACC(READ)
- To give a user (with user ID userid)
access to a group of functions (for example, tape output functions),
enter a RACF® command similar
to this:
PERMIT FILEM.TAPE.OUTPUT CLASS(FACILITY) ID(userid) ACCESS(READ)
Similarly, to deny a user access to tape output functions, enter a RACF® command similar to this:PERMIT FILEM.TAPE.OUTPUT CLASS(FACILITY) ID(userid) ACCESS(NONE)
The PERMIT statement for FILEM.TAPE.OUTPUT overrides the universal access that you specified for FILEM.TAPE.OUTPUT.
- To give a user access to a specific function (for example, the
VSAM to Tape function), enter a RACF® command
similar to this:
PERMIT FILEM.FUNCTION.VT CLASS(FACILITY) ID(userid) ACCESS(READ)
Similarly, to deny a user access to the VT function, enter a RACF® command similar to this:PERMIT FILEM.FUNCTION.VT CLASS(FACILITY) ID(userid) ACCESS(NONE)
The PERMIT statement for FILEM.FUNCTION.VT overrides any access that you specified for FILEM.TAPE.OUTPUT.
- To give a user (with user ID userid)
permission to update a load module, enter a RACF® command similar to this:
PERMIT FILEM.FUNCTION.LMU CLASS(FACILITY) ID(userid) ACCESS(READ)
The PERMIT statement for FILEM.FUNCTION.LMU overrides any universal access that you specified for FILEM.LOADMOD.UPDATE.
- If the FACILITY class is not already active on your system, enter
the following RACF® commands
to activate it:
SETROPTS CLASSACT(FACILITY) SETROPTS GENERIC(FACILITY) SETROPTS GENCMD(FACILITY)