z/OS Security Server RACF System Programmer's Guide
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Coding the started procedures module

z/OS Security Server RACF System Programmer's Guide
SA23-2287-00

To enable you to give RACF® identities to started procedures, RACF provides the ICHRIN03 module. There are no entries in the module when you receive it from IBM®. To use the started procedures table, you replace that module with your own table that associates the names of started procedures with user IDs and group names.

The table becomes part of the link pack area. After replacing the module, you must re-IPL the system with the CLPA option for the new module to be in effect. (You could also load the module into the MLPA, so that the link pack area does not have to be re-created.) You can specify either RMODE(24) or RMODE(ANY) for ICHRIN03.

The module (ICHRIN03) must consist of a table in the following format. See the RACTABLE member in SYS1.SAMPLIB for a sample started procedures table.
  • Number of entries: A halfword of binary data containing a count of the entries in the table. If the high-order (leftmost) bit is turned on, this indicates that the table consists of 32-byte entries, the format used in current versions of RACF . If the high-order (leftmost) bit is off, this indicates that the table consists of 24-byte entries. (Use X'0000' or X'8000' if there are no entries.)
  • An array: Each entry consists of 32 bytes of data. The first 24 bytes of character data show the started procedure name and its associated user ID and group name. Format each entry as follows:
    • Started procedure name: 8 bytes of character data. The name is required. The started procedure name must be left-justified and padded on the right with blanks.
    • User ID: 8 bytes of character data. A user ID is required. The user ID (or an equal sign for the generic entry) must be left-justified and padded on the right with blanks. (The maximum length of a user ID is 8 characters.)

      The user ID specified must be a RACF-defined user ID or an equal sign (=). The equal sign is valid only on the generic entry. See Generic entry in ICHRIN03.

    • Group name: 8 bytes of character data. The group name is optional.

      If a group name (or an equal sign for the generic entry) is used, it must be left-justified and padded on the right with blanks. If a group name is not used, this field must contain blanks.

      If the group name is specified, the user ID must be connected to this group. If a group name is not specified, the user ID's default group is used to build the ACEE used to grant authority to the started procedure.

    • Flags: 1 byte of binary data. Setting bit 0 on (X'80') indicates that this entry has the privileged attribute. Setting bit 1 on (X'40') indicates that this entry has the trusted attribute.

      If both bits are on, the privileged attribute overrides the trusted attribute and no auditing is done.

      Even if a trusted or privileged attribute is specified, an equal sign or a RACF-defined user ID must be specified in the user ID field of the entry. For an equal sign, the started procedure name must also be a RACF-defined user ID.

      The remaining 6 bits must be zeros. (See notes.)

    • Reserved: 7 bytes of binary data. These 7 bytes must be binary zeros.
Note: If you add a started procedure to the table, be sure that you increment the count field at the beginning of the table. Or, code your started procedures table so that the assembler calculates the count at assembly time, as shown in Figure 1. In this example, the high-order bit in the count field is set on to indicate that these are 32-byte entries. Adding 32 768, the decimal equivalent of X'8000', turns on the high-order bit.
Figure 1. Coding ICHRIN03 so the assembler calculates the count field
ICHRIN03   CSECT
COUNT      DC     AL2(((ENDRIN03-COUNT-2)/32)+32768)
*--------- First Entry -----------------------------------------
ENTRY1     EQU    *
PROC1      DC     CL8'PROC1   '
USERID1    DC     CL8'TSO1    '
GROUP1     DC     CL8'SYS1    '
FLAGS1     DC     XL1'00'
           DC     XL7'00'
*--------- Last Entry ------------------------------------------
ENTRY2     EQU    *
PROC2      DC     CL8'*       '
USERID2    DC     CL8'TSO2    '
GROUP2     DC     CL8'=       '
FLAGS2     DC     XL1'00'
           DC     XL7'00'
*---------------------------------------------------------------
ENDRIN03   EQU    *
           END
Parent topic: Associating started procedures and jobs with user IDs

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014