CA-L-Serv Configuration Tasks › Update External Security for CA-L-Serv › How the Update Tasks are accomplished › Implement Security with RACF

Implement Security with RACF

The following are sample definitions for users running under RACF. The actual implementation in your environment may differ from these templates.

• Add an entry for the new resource class to the Class Descriptor Table. The Class Descriptor Table ICHRRCDE must then be assembled and linked into SYS1.LPALIB. For example:

  LSERVDSN ICHERCDE CLASS=$LSRVDSN,                     X
                 ID=(valid installation value),         X
                 MAXLNTH=44,                            X
                 FIRST=ALPHA,                           X
                 OTHER=ANY,                             X
                 POSIT=(valid installation value),      X
                 OPER=NO,                               X
                 RACLIST=ALLOWED,                       X
                 DFTUACC=NONE
  

  Consult the RACF bibliography for the correct values for
  ID and POSIT. You must consider both IBM and site restrictions.

Important! Changes to the Class Descriptor Table require an IPL to take effect.

• Update the link to the RACF Router Table.

  The CA‑L‑Serv interface uses the RACROUTE macro. Therefore, the RACF Router Table (ICHRFR01) must also
  be updated and linked into a link listed library. For example:

  ICHRFRTB CLASS=$LSRVDSN,                     X
           ACTION=RACF
  

• Activate the $LSRVDSN class.

  Following an IPL with the new Class Descriptor Table, enter the following command:

  SETROPTS CLASSACT($LSRVDSN)
  

• Define the data sets to RACF using the $LSRVDSN class.

  You can issue commands to define the data sets that are under the control of CA‑L‑Serv:

  RDEF $LSRVDSN dsname1 UACC(NONE) OWNER(ownerid)
  RDEF $LSRVDSN dsname2 UACC(NONE) OWNER(ownerid)
  RDEF $LSRVDSN dsname3 UACC(NONE) OWNER(ownerid)   (etc.. )
  

  Optionally, you can define a resource of 'ALL' to represent all the data sets under CA‑L‑Serv control:

  RDEF $LSRVDSN all     UACC(NONE) OWNER(ownerid)
  

• Permit the users access to the CA‑L‑Serv data sets.

  Once data sets are defined as resources, issue commands to permit users access to these data sets using the $LSRVDSN resource class:

  PERMIT dsname1 ID(userid1) AC(CONTROL) CLASS($LSRVDSN)
  PERMIT dsname2 ID(userid1) AC(CONTROL) CLASS($LSRVDSN) ...
  

  Optionally, you can permit CA‑L‑Serv users access to the 'ALL' resource:

  PERMIT all     ID(userid1) AC(CONTROL) CLASS($LSRVDSN)
  PERMIT all     ID(userid2) AC(CONTROL) CLASS($LSRVDSN)
  PERMIT all     ID(userid3) AC(CONTROL) CLASS($LSRVDSN)
  

• Define CA‑L‑Serv to RACF.

  Create a user ID for CA‑L‑Serv providing access to its data sets. To do this, type:

  AU lsrv‑id DFLTGRP(systask) PASSWORD(xxxxxxxx)
  

  In this example, a user ID of lsrv‑id and a group of systask are chosen. These are arbitrary names; any name of up to seven characters is valid.

• Add CA‑L‑Serv to the RACF Started Procedures Table.

  There must be an entry for CA‑L‑Serv in the RACF Started Procedures Table (ICHRIN03). This can be accomplished in either of the following ways:

  • Establish a separate entry for the CA‑L‑Serv started task.
  • For example:

    	LSERV DC CL8'LSERV'     CA‑L‑Serv proc name
    		DC CL8'LSERVID'   CA‑L‑Serv userid
    		DC CL8'SYSTASK'   CA‑L‑Serv group
    		DC XL1'00'        unused
    		DC XL7'00'        unused
    

    In addition, it is necessary to add 1 to the number of entries in the table. This table must be assembled and linked into SYS1.LPALIB, and an IPL must be performed.

  • If a generic entry exists in the table, you may set up the CA‑L‑Serv procname and user ID to conform to that entry.
• Give CA‑L‑Serv authority to access its data sets using the PERMIT command:

  PERMIT 'data set name' ID(LSERVID) ACCESS(CONTROL)