Authorize User IDs to Use a Specific Command

Implementing External Security with RACF › Authorize User IDs to Use a Specific Command

Authorize User IDs to Use a Specific Command

Group names are derived from the facility names that are associated with the security event the group name protects. The resources of some facilities have READ access, other facilities have UPDATE access, and other facilities have both READ and UPDATE verbs. Therefore, the group names are encoded following this pattern:

Facility	Group Name
READ access only	The group name is the same as the facility name or derived from the facility name.
UPDATE access only	The group name is the same as the facility name or derived from the facility name.
READ and UPDATE access	The group name for update access is derived from the facility name for UPDATE. The group name for read access is derived from the facility name with an appended R.

Facility

Group Name

READ access only

The group name is the same as the facility name or derived from the facility name.

UPDATE access only

The group name is the same as the facility name or derived from the facility name.

READ and UPDATE access

The group name for update access is derived from the facility name for UPDATE.

The group name for read access is derived from the facility name with an appended R.

You can authorize a specific user ID or group of user IDs to use a particular CA OPS/MVS command either manually or using DEFSAF. The first procedure explains how to add authorizations manually. The second procedure explains how to execute the CA OPS/MVS REXX program DEFSAF.

Follow these steps:

Look up the command or function in Commands and Functions that Generate External Security. In the row where you find your command or function, make the following notes:
- Note the associated Facility name.
- Note whether your command includes verbs that generate either READ or UPDATE access.
Find the corresponding row that matches both your Facility name and access value. In that row, make a note of the group name.
Add the user ID or group of user IDs you want to authorize to the RACF group.
Issue this RACF command:
```
CONNECT(userid) GROUP(RACF_group_name)
```
You have manually authorized your user IDs.

Follow these steps:

Look up the command or function in Commands and Functions that Generate External Security. In the row where you find your command or function, make the following notes:
- Note the associated Facility name.
- Note whether your command includes verbs that generate either READ or UPDATE access.
Find your access value and do the following tasks:
- If your access value is READ, then execute DEFSAF as follows:
```
DEFSAF <facility> ACT(PERMIT) SAFRO(<userid>)
```
- If your access value is UPDATE, then execute DEFSAF as follows:
```
DEFSAF <facility> ACT(PERMIT) SAFRW(<userid>)
```
  <facility>
  
  Specify the facility name.
  
  <userid>
  
  Specify the user ID or group you want to authorize.
You have authorized your user IDs using DEFSAF.

Tell Technical Publications how we can improve this information