z/OS Security Server RACF System Programmer's Guide
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


The STARTED class

z/OS Security Server RACF System Programmer's Guide
SA23-2287-00

The STARTED class allows you to assign RACF® identities to started procedures and jobs dynamically, using the RDEFINE and RALTER commands. Unlike the started procedures table, it does not require you to modify code or re-IPL to add or modify RACF identities for started procedures. It provides, in effect, a dynamic started procedures table.

The MVS™ START command can start jobs and procedures. The START command specifies the member name to start and the job name to use. The member name is the name of a member of a partitioned data set that contains the source JCL for the task or job to be started. Using the STARTED class, RACF can assign different user IDs and group names to the same started member, depending on the job name that is used. CICS® can use this, for example, to allow one procedure to be used for various different CICS regions, which might have different security requirements.

Resource names in the STARTED class are of the form membername.jobname; for example, CICS.JOBA, CICS.REGION2, or IMS.PROD. The resource name is of the form membername.membername if no jobname is provided.

Profiles in the STARTED class have a segment, STDATA, containing fields for user ID, group name, trusted flag, privileged flag, and a trace flag. The user ID can be a RACF user ID or the character string =MEMBER, which indicates that the member name is to be used as the user ID. The group name can be a RACF group name or the character string =MEMBER, which indicates that the member name is to be used as the group name. If tracing is specified, RACF issues operator message IRR812I during RACROUTE REQUEST=VERIFY or VERIFYX to indicate which profile is used. This message can be used during diagnosis of security problems with started procedures to determine which profile was used for a particular started procedure.

The RDEFINE, RALTER, and RLIST commands define and modify profiles in the STARTED class. For more information about these commands, see z/OS Security Server RACF Command Language Reference.

You should define an appropriate generic profile that matches all possible START commands and that you specify either a user ID of limited privileges or =MEMBER. This approach ensures that, for any START command, there is always a matching profile with an STDATA segment that assigns a user ID. In addition, using this approach avoids the following situations, which cause RACF to use ICHRIN03 to process the START command:
  • There is no matching profile.
  • There is a matching profile, but it does not have an STDATA segment.
  • There is a matching profile with an STDATA segment, but no user ID is specified.
Note: When the STARTED class is active, RACF uses it before using the started procedures table, ICHRIN03. It overrides all the entries in ICHRIN03.

For additional information about the STARTED class, see z/OS Security Server RACF Security Administrator's Guide. For information about jobs and started tasks, see z/OS MVS System Commands.

Parent topic: Associating started procedures and jobs with user IDs

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014