Implementing External Security with RACF › Customize Resource Classes with RACF

Customize Resource Classes with RACF

The CA OPS/MVS parameter EXTSECCLASS determines the class name that is used to make SAF calls to authorize resources. EXTSECCLASS defaults to FACILITY, which is a built-in class that is supplied with RACF. You can separate the RACF resource profiles under a resource class name for CA OPS/MVS.

Note: Third-party products use the FACILITY class when they do not need to create a user class.

The following steps guide you through customizing RACF rules under a different resource class name.

Follow these steps:

1. Access the local RACF class descriptor table (CDT).
2. Add new resource classes to the CDT.

   The CDT contains two parts:

   • A system-defined part
   • An installation-defined part named ICHRRCDE
3. Add new resource classes to ICHRRCDE using one of the following methods:
   • Code the ICHERCDE macro
   • Dynamically, using the CDT class definition process

   By default, all of the resources you defined to RACF for CA OPS/MVS are added to the IBM built-in FACILITY class.

4. Define your resource class dynamically by running DEFSAF with the following arguments:

   CDT ACT(DEFINE) SAFCL(yourname)
   

   The resource class is created.

   Note: The REXX program DEFSAF is distributed with CA OPS/MVS to help define and maintain access to CA OPS/MVS security resources.

5. Specify the new resource class name on the EXTSECCLASS parameter before starting CA OPS/MVS.

The RACF rules are customized under a different resource class name.

Note: See the following IBM guides:

• SA22-7681 Security Server RACF System Programmer’s Guide for instructions on updating ICHRRCDE
• SA22-7683 Security Server RACF Security Administrator's Guide for instructions on adding a dynamic CDT class