Security › External Security › Implementing External Security for RACF

Implementing External Security for RACF

Note:

• For more information about the RACF Class Descriptor Table and the Routing Table, see SC28-1913 in IBM's OS/390 Security Server (RACF) System Programmer's Guide.
• For more information about the commands used in this section, see SC28-1919 in the OS/390 Security Server (RACF) Command Language Reference. (At OS/390 V2R10.0, OS/390 Security Server (RACF) has been renamed to OS/390 SecureWay Security Server RACF).
• The sample jobs can be found in CVDEJCL member SARRACF.

To use RACF to manage CA View external security, do the following:

1. Create or add code to the RACF Class Descriptor Table.

   For example, the following job creates a Class Descriptor Table that contains the CA View class name. The table must be assembled and linked as ICHRRCDE. If you have already created one of these tables, you must include it in the link step. Otherwise, remove the INCLUDE SYSLMOD(ICHRRCDE) statement from the link step.

   //EXAMPLE   JOB ACCOUNT,PROGRAMMER
   //CDT EXEC HLASMCL,PARM.C=(OBJECT,NODECK)
   //C.SYSLIB DD DSN=SYS1.MODGEN,DISP=SHR
   //C.SYSIN DD *
   CHA1VIEW ICHERCDE CLASS=CHA1VIEW,ID=128,MAXLNTH=246,FIRST=ALPHA,  +
                  OTHER=ANY,POSIT=25,OPER=NO
            ICHERCDE
   /*
   //L.SYSLMOD DD DSN=SYS1.LINKLIB,
   // DISP=SHR
   //L.SYSIN DD *
         INCLUDE SYSLMOD(ICHRRCDE) NEEDED IF ADDING TO AN EXISTING TABLE
         ORDER CHA1VIEW
         ORDER ICHRRCDE
         NAME ICHRRCDE(R)
   /*
   

2. Add the CA View class names to the RACF Router Table, for example:

   //EXAMPLE   JOB ACCOUNT,PROGRAMMER
   //EXAMPLE JOB ACCOUNT,PROGRAMMER
   //RT EXEC HLASMCL
   //C.SYSLIB DD DSN=SYS1.MODGEN,DISP=SHR
   //C.SYSIN  DD *
   ICHRFR01 CSECT
   CHA1VIEW ICHRFRTB CLASS=CHA1VIEW,ACTION=RACF
            ENDTAB ICHRFRTB TYPE=END
            END    ICHRFR01
   /*
   //L.SYSLMOD DD DSN=SYS1.LINKLIB,
   //             DISP=SHR
   //L.SYSIN   DD *
         NAME ICHRFR01(R)
   /*
   

3. Activate the new classes, for example:

   //EXAMPLE   JOB ACCOUNT,PROGRAMMER
   //CLSA EXEC PGM=IKJEFT01
   //SYSTSPRT DD SYSOUT=*
   //SYSTSIN  DD *
   SETR CLASSACT(CHA1VIEW)
   SETR GENERIC(CHA1VIEW)
   /*
   

4. Define a group to own the resources, for example:

   //EXAMPLE   JOB ACCOUNT,PROGRAMMER
   //AG       EXEC PGM=IKJEFT01
   //SYSTSPRT DD  SYSOUT=*
   //SYSTSIN  DD *
   AG (VIEWADMN) OWNER(SYS1) SUPGROUP(SYS1)
   /*
   

5. To give READ access to all of the functions and ALTER access to all of the resources, run the following job steps:

   //EXAMPLE   JOB ACCOUNT,PROGRAMMER
   //RDEF EXEC PGM=IKJEFT01
   //SYSTSPRT DD SYSOUT=*
   //SYSTSIN DD *
   RDEF CHA1VIEW (*) OWNER(VIEWADMN) UACC(ALTER)
   RDEF CHA1VIEW (VIEW.*) OWNER(VIEWADMN) UACC(ALTER)
   

6. Connect a user to the group and alter the user definition (so that its default group is the one you just created), for example:

   //EXAMPLE   JOB ACCOUNT,PROGRAMMER
   //CONN EXEC PGM=IKJEFT01
   //SYSTSPRT DD SYSOUT=*
   //SYSTSIN DD *
   CO (userid) GROUP(VIEWADMN)
   /*
   

   //EXAMPLE   JOB ACCOUNT,PROGRAMMER
   //ALU  EXEC PGM=IKJEFT01
   //SYSTSPRT DD SYSOUT=*
   //SYSTSIN DD *
   ALU (userid) DFLTGRP(VIEWADMN)
   /*