To enable you to give RACF® identities
to started procedures, RACF provides
the ICHRIN03 module. There are no entries in the module when you receive
it from IBM®. To use the started
procedures table, you replace that module with your own table that
associates the names of started procedures with user IDs and group
names.
The table becomes part of the link pack area. After replacing the
module, you must re-IPL the system with the CLPA option for the new
module to be in effect. (You could also
load the module into the MLPA, so that the link pack area does not
have to be re-created.) You can specify either RMODE(24) or RMODE(ANY)
for ICHRIN03.
The module (ICHRIN03) must consist of a table in the following
format. See
the RACTABLE member in SYS1.SAMPLIB for a sample started procedures
table.
- Number of entries: A halfword of binary data containing
a count of the entries in the table. If the high-order (leftmost)
bit is turned on, this indicates that the table consists of 32-byte
entries, the format used in current versions of RACF . If the high-order (leftmost) bit is off,
this indicates that the table consists of 24-byte entries. (Use X'0000' or X'8000' if
there are no entries.)
- An array: Each entry consists of 32 bytes of data. The
first 24 bytes of character data show the started procedure name and
its associated user ID and group name. Format each entry as follows:
- Started procedure name: 8 bytes of character data. The name
is required. The started procedure name must be left-justified and
padded on the right with blanks.
- User ID: 8 bytes of character data. A user ID is required. The
user ID (or an equal sign for the generic entry) must be left-justified
and padded on the right with blanks. (The maximum length of a user
ID is 8 characters.)
The user ID specified must be a RACF-defined
user ID or an equal sign (=). The equal sign is valid only on the
generic entry. See Generic entry in ICHRIN03.
- Group name: 8 bytes of character data. The group name is optional.
If a group name (or an equal sign for the generic entry) is used,
it must be left-justified and padded on the right with blanks. If
a group name is not used, this field must contain blanks.
If
the group name is specified, the user ID must be connected to this
group. If a group name is not specified, the user ID's default group
is used to build the ACEE used to grant authority to the started procedure.
- Flags: 1 byte of binary data. Setting bit 0 on (X'80')
indicates that this entry has the privileged attribute. Setting bit
1 on (X'40') indicates that this entry has the trusted attribute.
If both bits are on, the privileged attribute overrides the trusted
attribute and no auditing is done.
Even if a trusted or privileged
attribute is specified, an equal sign or a RACF-defined user ID must
be specified in the user ID field of the entry. For an equal sign,
the started procedure name must also be a RACF-defined user ID.
The
remaining 6 bits must be zeros. (See notes.)
- Reserved: 7 bytes of binary data. These 7 bytes must be binary
zeros.
Note: If you add a started procedure to the table, be sure that you
increment the count field at the beginning of the table. Or, code
your started procedures table so that the assembler calculates the
count at assembly time, as shown in
Figure 1.
In this example, the high-order bit in the count field is set on to
indicate that these are 32-byte entries. Adding 32 768, the decimal
equivalent of
X'8000', turns on the high-order bit.
Figure 1. Coding ICHRIN03 so
the assembler calculates the count fieldICHRIN03 CSECT
COUNT DC AL2(((ENDRIN03-COUNT-2)/32)+32768)
*--------- First Entry -----------------------------------------
ENTRY1 EQU *
PROC1 DC CL8'PROC1 '
USERID1 DC CL8'TSO1 '
GROUP1 DC CL8'SYS1 '
FLAGS1 DC XL1'00'
DC XL7'00'
*--------- Last Entry ------------------------------------------
ENTRY2 EQU *
PROC2 DC CL8'* '
USERID2 DC CL8'TSO2 '
GROUP2 DC CL8'= '
FLAGS2 DC XL1'00'
DC XL7'00'
*---------------------------------------------------------------
ENDRIN03 EQU *
END