Inbound requests for a local RACF® subsystem
are handled by a program which is invoked by an APPC transaction program
profile process. This profile must be protected in order to prevent
undesirable alterations which could bypass security processes, and
to control which remote users can send inbound requests.
There are two steps in controlling a transaction program profile:
- Protect the VSAM data set containing the profile. The level of
protection should restrict who can alter the profile. You might also
want to restrict who can read the data set. In this case, we recommend
that the ERASE attribute be specified on the DEFINE for the VSAM cluster.
- Protect the associated transaction program profile from unauthorized
execution of inbound requests.
Both of these steps can be performed through the use of the APPCTP
class. Profiles in this class have the form:
dbtoken.tplevel.tpname
where
- dbtoken
- Is the database token (1 to 8 characters) for the TP profile data
set.
- tplevel
- Is the transaction program level. This tplevel corresponds
with the TPLEVEL specified on the LUADD. For example, if you specify
TPLEVEL(USER) on the LUADD, APPC looks for an APPCTP profile protecting dbtoken.userid.tpname.
There is no RACF requirement
for the TPLEVEL. See the APPC manuals referenced in Setting up your system to use APPC/MVS and VTAM for information.
- tpname
- Is the transaction program name (1 to 64 characters). Unless the
installation changes it, RACF uses
the default TPNAME of IRRRACF.
The local RACF user
ID authorized to this profile must be the same as the user ID that
the RACF subsystem in the remote
node operates under.