z/OS Security Server RACF System Programmer's Guide
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Customizing a remote sharing environment

z/OS Security Server RACF System Programmer's Guide
SA23-2287-00

RACF® provides you with flexibility in customizing the RACF remote sharing facility environment on each RRSF node. You can choose to allow some functions in your environment, and not allow others, or to restrict some functions to specific nodes. For example, you can choose to allow or not allow automatic command direction on an RRSF node, and if you choose to allow it you can choose which commands are automatically directed and to which nodes they are directed.

You can also control which user IDs are able to use each function. See Establishing security for your remote sharing environment for information.

You customize the RACF remote sharing facility environment for an RRSF node by defining profiles in the RRSFDATA class. The customization can be done by either a system programmer or a security administrator.

The RRSFDATA class is a crucial class for RACF remote sharing. This class must be active on an RRSF node before you can use many of the functions of RRSF, including defining associations, synchronizing passwords, directing commands with the AT keyword, and automatic direction. The RRSFDATA class can be used as a switch to turn on these remote sharing functions and off as you activate and deactivate the class.

Guideline: RACLIST the RRSFDATA class.

Table 1 shows the RRSFDATA resource names and the remote sharing functions that they control.

Table 1. RRSFDATA resource names. The node name on a resource name is the name defined for a node by the TARGET command. For more information about defining node names, See Configuring an RRSF network.
Resource Name Controls Authorization To …
AUTODASD.node.DATASET.APPL Have RACF automatically direct RACROUTE REQUEST=DEFINE and RACDEF updates to DASD profiles in the DATASET class to node node. In most circumstances, you should not set up automatic direction for these updates.
AUTODIRECT.node.class.APPL Have RACF automatically direct application updates in class class to node node. In the DATASET class, only updates made by ICHEINTY, RACROUTE REQUEST=EXTRACT, and RACXTRT are covered by this resource name.
AUTODIRECT.node.class.command Have RACF automatically direct all command commands in class class to node node.
AUTODIRECT.node.USER.PHRSSYNC Have RACF automatically direct all password phrase changes to node node.
AUTODIRECT.node.USER.PWSYNC Have RACF automatically direct all password changes to node node.
AUTOTAPE.node.DATASET.APPL Have RACF automatically direct RACROUTE REQUEST=DEFINE and RACDEF updates to tape profiles in the DATASET class to node node.
DIRECT.node Specify the AT keyword on RACF commands to direct them to node node.
IRR.RRSF.CONNECT Connect to the local node when the AT-TLS rule covering the connection specifies a client authentication level of SAFCheck. (TCP/IP protocol only).
IRRBRW00 Execute the workspace data set VSAM file browser, IRRBRW00.
PWSYNC Synchronize passwords with another user ID after establishing an association with that user ID that specifies password synchronization.
PHRASESYNC Synchronize password phrases with another user ID after establishing an association with that user ID that specifies password synchronization.
RACLINK.DEFINE.node Issue the RACLINK DEFINE command to define an association with a user ID on node node.
RACLINK.PWSYNC.node Issue the RACLINK DEFINE command to define an association that synchronizes passwords and password phrases with a user ID on node node.

Initially, the RRSFDATA class is not active, and no profiles are defined in the class. Therefore, the RRSF functions controlled by the RRSFDATA class are not available to any users. You must define profiles for the functions you want to use, and activate the RRSFDATA class to make the functions available. If you define a profile with UACC(READ), then all users by default have access to the function the profile controls. If you define a profile with UACC(NONE), then no users have access by default to the function the profile controls, and you must explicitly authorize users to use the function. (See Establishing security for your remote sharing environment.)

If you want, for example, to customize your network so that all user IDs on NODEA can define associations with user IDs on NODEB and direct commands to NODEB, but you do not want user IDs on NODEA to automatically synchronize their passwords with user IDs on NODEB, then on NODEA issue: 
RDEFINE RRSFDATA RACLINK.DEFINE.NODEB UACC(READ)
RDEFINE RRSFDATA DIRECT.NODEB UACC(READ)
and then activate the RRSFDATA class: 
SETROPTS CLASSACT(RRSFDATA) RACLIST(RRSFDATA)
Because there is no RRSFDATA profile for RACLINK.PWSYNC.NODEB, password changes made on NODEA are not propagated to NODEB.

Security checks based on the RRSFDATA class are performed only on the local node, not on the remote nodes. Therefore, for example, you can use the RRSFDATA class on NODEA to prevent users on NODEA from directing commands to NODEB, but the RRSFDATA class on NODEA cannot prevent users on NODEB from directing commands to NODEA. However, you can use the RRSFDATA class on NODEB to prevent users on NODEB from directing commands to NODEA.

For more information about RRSFDATA profiles, see z/OS Security Server RACF Security Administrator's Guide.

Parent topic: Customizing and establishing security for RRSF

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014