Implementing External Security with RACF › Create Access Permissions with RACF

Create Access Permissions with RACF

Connecting or permitting site-defined user names authorizes them to the groups or profiles that either you or DEFSAF defined. Execute the REXX DEFSAF utility to define the resource names and groups. Execute DEFSAF again to add user names to those groups.

Use IBM RACF to create access permissions. You can perform these steps in any order.

Follow these steps:

1. Execute the following command to provide the OPSUSER with READ access to all CA OPS/MVS protected resources:

   ISPF EDIT on member DEFSAF in opshlq.CCLXEXEC
   !OI ALL ACT(PERMIT) SAFRO(OPSUSER)
   

   or

   !OX ‘opshlq.CCLXEXEC(DEFSAF)’ ALL ACT(PERMIT) SAFRO(OPSUSER)
   

2. Execute the following command to provide the OPSOPER with UPDATE access to all CA OPS/MVS protected resources:

   ISPF EDIT on member DEFSAF in opshlq.CCLXEXEC
   !OI OPSAOF ACT(PERMIT) SAFRW(OPSOPER)
   

   or

   !OX ‘opshlq.CCLXEXEC(DEFSAF)' OPSAOF ACT(PERMIT) SAFRW(OPSOPER)
   

3. Execute the following command to provide OPSSQL1 with READ access to all SQL commands:

   ISPF EDIT on member DEFSAF in opshlq.CCLXEXEC
   !OI OPSSQL ACT(PERMIT) SAFRO(OPSSQL1)
   

   or

   !OX ‘opshlq.CCLXEXEC(DEFSAF)’ OPSSQL ACT(PERMIT) SAFRO(OPSSQL1)
   

   Note: The BATCH(Y) option generates the member in opqhlq.OPSx.DEFSAF named PERRACF. Send this member to your security administrator to run the RACF commands in the member from an authorized user ID. If the user ID where you run the DEFSAF command has sufficient authority, specify BATCH(N) and then issue the commands directly from DEFSAF.

4. Execute OPSSQL1 either with or without GROUPS as follows:
   • Execute OPSSQL1 without GROUPS(Y) and with UPDATE access to all aspects of SQL commands:

     ISPF EDIT on member DEFSAF in opshlq.CCLXEXEC
     !OI OPSSQL ACT(PERMIT) SAFRW(OPSSQL1) GROUPS(Y)
     

     or

     !OX ‘opshlq.CCLXEXEC(DEFSAF)’ OPSSQL ACT(PERMIT) SAFRW(OPSSQL1) GROUPS(Y)
     

   • Execute OPSSQL1 with GROUPS(N) to permit the same access without using groups:

     TSO OX 'opshlq.CCLXEXEC(DEFSAF)' OPSSQL ACT(PERMIT) SAFRO(OPSSQL1) GROUPS(N)
     ISPF EDIT on member DEFSAF in opshlq.CCLXEXEC
     !OI OPSSQL ACT(PERMIT) SAFRO(OPSSQL1) GROUPS(N)
     

     or

     !OX ‘opshlq.CCLXEXEC(DEFSAF)’ OPSSQL ACT(PERMIT) SAFRO(OPSSQL1) GROUPS(N)
     

5. If you did not use DEFSAF, provide OPSSQL1 with READ access to all SQL commands by issuing the following sample RACF command:

   PERMIT OP$MVS.SQL.* CLASS(FACILITY) ID(OPSSQL1) ACCESS(READ)
   

You have created your access permissions with IBM RACF.