z/OS Security Server RACF Macros and Interfaces
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Preparing to run an application with the SAF user mapping plug-in implementation

z/OS Security Server RACF Macros and Interfaces
SA23-2288-00

Before the application can run using the default SAF user mapping plug-in implementation, EIM and RACF® must be set up with the information used by that plug-in.
Note: Other SAF user mapping plug-in implementations might require a different setup. See Writing your own SAF user mapping plug-in implementation for the details.
To set up EIM, perform the following steps.
  1. Define and initialize the EIM domain with the user ID mappings or policies.
  2. Define the RACF profiles containing the name of the LDAP server hosting the EIM domain, the name of the EIM domain, and the LDAP BINDDN and BINDPW that the plug-in implementation uses.
  3. Define the IRR.PROXY.DEFAULTS profile in the FACILITY class, activate the class if needed and RACLIST the FACILITY class profile. This profile should contain the name given to the local z/OS® registry in the EIM domain.
For details on how to perform these steps, see z/OS Integrated Security Services EIM Guide and Reference for information about the software requirements and setup instructions.
If the C/C++ application is unauthorized (that is, problem program state and problem program key), the caller of the default SAF user mapping plug-in implementation needs to have access to either of the following RACF resources in the FACILITY class.
  • The user ID associated with the address space must have READ access to the BPX.SERVER resource in the FACILITY class.
  • The current user ID must have READ access to the IRR.RDCEKEY and IRR.RGETINFO.EIM resources in the FACILITY class.

In addition, all unauthorized applications that use the default SAF user mapping plug-in implementation must run in a clean address space. Minimally, the unauthorized application must be program-controlled. See z/OS Security Server RACF Security Administrator's Guide for details on how to set up program control for the application.

Logging of the EIM lookup operations can also be performed by defining RACF profiles. See z/OS Integrated Security Services EIM Guide and Reference for the setup instructions.

Parent topic: SAF user mapping plug-in interface

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014