Previous topic |
Next topic |
Contents |
Contact z/OS |
Library |
PDF
Customizing a remote sharing environment z/OS Security Server RACF System Programmer's Guide SA23-2287-00 |
|||||||||||||||||||||||||||||
RACF® provides you with flexibility in customizing the RACF remote sharing facility environment on each RRSF node. You can choose to allow some functions in your environment, and not allow others, or to restrict some functions to specific nodes. For example, you can choose to allow or not allow automatic command direction on an RRSF node, and if you choose to allow it you can choose which commands are automatically directed and to which nodes they are directed. You can also control which user IDs are able to use each function. See Establishing security for your remote sharing environment for information. You customize the RACF remote sharing facility environment for an RRSF node by defining profiles in the RRSFDATA class. The customization can be done by either a system programmer or a security administrator. The RRSFDATA class is a crucial class for RACF remote sharing. This class must be active on an RRSF node before you can use many of the functions of RRSF, including defining associations, synchronizing passwords, directing commands with the AT keyword, and automatic direction. The RRSFDATA class can be used as a switch to turn on these remote sharing functions and off as you activate and deactivate the class. Guideline: RACLIST the RRSFDATA class. Table 1 shows the RRSFDATA resource names and the remote sharing functions that they control.
Initially, the RRSFDATA class is not active, and no profiles are defined in the class. Therefore, the RRSF functions controlled by the RRSFDATA class are not available to any users. You must define profiles for the functions you want to use, and activate the RRSFDATA class to make the functions available. If you define a profile with UACC(READ), then all users by default have access to the function the profile controls. If you define a profile with UACC(NONE), then no users have access by default to the function the profile controls, and you must explicitly authorize users to use the function. (See Establishing security for your remote sharing environment.) If you want, for example, to customize your network so that all
user IDs on NODEA can define associations with user IDs on NODEB and
direct commands to NODEB, but you do not want user IDs on NODEA to
automatically synchronize their passwords with user IDs on NODEB,
then on NODEA issue:
and then activate
the RRSFDATA class:
Because
there is no RRSFDATA profile for RACLINK.PWSYNC.NODEB, password changes
made on NODEA are not propagated to NODEB.Security checks based on the RRSFDATA class are performed only on the local node, not on the remote nodes. Therefore, for example, you can use the RRSFDATA class on NODEA to prevent users on NODEA from directing commands to NODEB, but the RRSFDATA class on NODEA cannot prevent users on NODEB from directing commands to NODEA. However, you can use the RRSFDATA class on NODEB to prevent users on NODEB from directing commands to NODEA. For more information about RRSFDATA profiles, see z/OS Security Server RACF Security Administrator's Guide. |
Copyright IBM Corporation 1990, 2014
|