Controlling access to Global Mirror commands

You can limit the use of Global Mirror commands by defining resource profiles in the RACF® FACILITY class and restricting access to those profiles. To use a protected command, you need read-access authority to the applicable profile.

Table 1 lists the Global Mirror commands and the facility class profiles that can restrict them. See the z/OS Security Server RACF Security Administrator's Guide for details on activating the RACF facility class, and defining and authorizing users to the PPRC command profiles.

Table 1. Global Mirror FACILITY class profile names
Command	Profile Name
RQUERY	STGADMIN.ANT.PPRC.COMMANDS
RSESSION
RVOLUME
RQUERY	STGADMIN.ANT.PPRC.CQUERY
Note: Authorize RQUERY command use with the STGADMIN.ANT.PPRC.COMMANDS profile or the STGADMIN.ANT.PPRC.CQUERY profile. PPRC first checks STGADMIN.ANT.PPRC.COMMANDS for authorization. If authorization is not permitted with the STGADMIN.ANT.PPRC.COMMANDS profile, PPRC checks the STGADMIN.ANT.PPRC.CQUERY profile for authorization to issue the RQUERY command.

Examples: The following examples activate the RACF FACILITY class, define the profile for the PPRC commands, and give user STGADMIN authority to use this profile:

This example activates the RACF FACILITY class:
```
SETROPTS CLASSACT(FACILITY)
```

This example defines the profile for PPRC commands, and authorizes user STGADMIN to use this profile:

 RDEFINE FACILITY STGADMIN.ANT.PPRC.COMMANDS UACC(NONE)
 
   PERMIT STGADMIN.ANT.PPRC.COMMANDS CLASS(FACILITY) -
          ID(STGADMIN) ACCESS(READ)