Setting up the security environment by using RACF® or an equivalent security product

You perform the following steps to define profiles for RACF® or your equivalent security product. These steps assume that your security administrator has already controlled access to DASD volumes (DASDVOL) and facilities (FACILITY).

The following sections contain examples of setting up facility classes for File Manager using RACF®. For more information about RACF® resource profiles, see z/OS Security Server RACF Command Language Reference.

Note: If you are using an equivalent security product, refer to that product's documentation for information on how to define and use facility classes.
You can give or deny some, or all, users access to any of the following groups of File Manager functions:
FILEM.DISK.INPUT
Disk input functions
FILEM.DISK.UPDATE
Disk update functions
FILEM.TAPE.INPUT
Tape input functions
FILEM.TAPE.OUTPUT
Tape output functions
FILEM.TAPE.DUPLICATE
Tape copy functions
FILEM.TAPE.UPDATE
Tape update functions
FILEM.VSAM.UPDATE
VSAM update functions
FILEM.OAM.OUTPUT
OAM output functions
FILEM.OAM.UPDATE
OAM update functions
FILEM.LOADMOD.UPDATE
Load module update functions
FILEM.OTHER.ALL
All other functions
FILEM.TAPE.BLP
See Controlling Bypass Label Processing (BLP)
FILEM.DISK.FULLPACK
See Controlling fullpack access to DASD volumes

For more information about these groups, see File Manager function to profile name cross-reference.

Controlling access

Three facility groups are provided to allow you to control access to File Manager base function, and to FM/IMS and FM/Db2, from the FM/CICS primary option menu. These groups are:
FILEM.CICS.BASE
Access to File Manager base function
FILEM.CICS.IMS
Access to FM/IMS
FILEM.CICS.DB2
Access to FM/Db2

If a user ID running FM/CICS has read access to any of these groups, then the associated function (FM, FM/IMS or FM/Db2) will appear on the FM/CICS primary option menu and the user can invoke these functions, if they are installed.

To achieve this File Manager makes RACROUTE calls, with STATUS=ACCESS, to the CICS® SAF FACILITY profiles. When RACF® is used, the STATUS=ACCESS request works as documented, and no security-related logging or abends are generated, even if you do not have access to the profile.

However, when other security products such as ACF2 are used, an S047 abend may be issued in response to the above RACROUTE request. In this case you should consult the documentation for your security product and make changes accordingly.

If you have installed and customized the FM/CICS component, you should review your requirement for this access.

For more information about FM/CICS, see Customizing File Manager CICS Component, and also the File Manager User’s Guide and Reference for CICS.

Protecting update functions

Three facility groups are also provided to enable you to protect update functions in File Manager base function, FM/Db2, and FM/CICS. They are:
FILEM.BASE.UPDATE
Protect update functions in File Manager base
FILEM.DB2.UPDATE
Protect update functions in FM/Db2
FILEM.CICS.UPDATE
Protect update functions in FM/CICS

This aspect of security is handled differently for FM/IMS. See IMS subsystems and FM/IMS functions access control facility.

These facility classes also require the option SEC=YES to be specified in FMN0POPT (for File Manager base), FMN2POPT (for FM/Db2), and FMN3POPT (for FM/CICS). For information about the SEC option, see SEC. For more information about the protected functions, see Unprotected functions and profile names for protected functions. For a list of functions that are protected by this method, see File Manager unprotected functions, Customizing to protect update functions in FM/Db2, and Customizing to protect update functions in FM/CICS.

If you do not specify SEC=YES in your options modules, then no checking of these facility classes is done.

Examples of giving or denying access

You can also give or deny some, or all, users access to an individual File Manager function. The following examples illustrate this.
  • To give universal access of NONE to a group of functions (for example, disk input functions), enter a RACF® command similar to this:
    RDEFINE FACILITY FILEM.DISK.INPUT     UACC(NONE)

    This means that no users can use any functions in the group unless otherwise specified.

  • To give all users access to a group of functions (for example, tape input functions), enter a RACF® command similar to this:
    RDEFINE FACILITY FILEM.TAPE.INPUT     UACC(READ)
  • To give a user (with user ID userid) access to a group of functions (for example, tape output functions), enter a RACF® command similar to this:
    PERMIT FILEM.TAPE.OUTPUT    CLASS(FACILITY) ID(userid) ACCESS(READ)
    Similarly, to deny a user access to tape output functions, enter a RACF® command similar to this:
    PERMIT FILEM.TAPE.OUTPUT    CLASS(FACILITY) ID(userid) ACCESS(NONE)

    The PERMIT statement for FILEM.TAPE.OUTPUT overrides the universal access that you specified for FILEM.TAPE.OUTPUT.

  • To give a user access to a specific function (for example, the VSAM to Tape function), enter a RACF® command similar to this:
    PERMIT FILEM.FUNCTION.VT    CLASS(FACILITY) ID(userid) ACCESS(READ)
    Similarly, to deny a user access to the VT function, enter a RACF® command similar to this:
    PERMIT FILEM.FUNCTION.VT    CLASS(FACILITY) ID(userid) ACCESS(NONE)

    The PERMIT statement for FILEM.FUNCTION.VT overrides any access that you specified for FILEM.TAPE.OUTPUT.

  • To give a user (with user ID userid) permission to update a load module, enter a RACF® command similar to this:
    PERMIT FILEM.FUNCTION.LMU   CLASS(FACILITY) ID(userid) ACCESS(READ)

    The PERMIT statement for FILEM.FUNCTION.LMU overrides any universal access that you specified for FILEM.LOADMOD.UPDATE.

  • If the FACILITY class is not already active on your system, enter the following RACF® commands to activate it:
    SETROPTS CLASSACT(FACILITY)
    SETROPTS GENERIC(FACILITY)
    SETROPTS GENCMD(FACILITY)