z/OS DFSMSrmm Implementation and Customization Guide
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


SAF calls for authorization checking

z/OS DFSMSrmm Implementation and Customization Guide
SC23-6874-00

DFSMSrmm issues RACROUTE calls to determine if a user is authorized to perform a DFSMSrmm function. The calls are issued in the address space and under the task of the command or utility user. Most SAF calls in the FACILITY class are issued regardless of the state of RACF, the SAF interface, or the FACILITY class.

DFSMSrmm prevents RACF users with the OPERATIONS and PRIVILEGED attributes from gaining authorization to the DFSMSrmm resources in the FACILITY class. Any user attempting to use DFSMSrmm functions must be authorized through the resource access list or through universal access. For all authorization checks, except for EDGRESET, DFSMSrmm issues the RACROUTE request with an ACEE address that identifies an ACEE that has had these attributes removed.

Figure 1 shows the RACROUTE call that DFSMSrmm issues to create an ACEE for a user that is defined to RACF. DFSMSrmm issues this call in the address space of the command issuer or batch utility.
Figure 1. Creating an ACEE for a user defined to RACF
RACROUTE REQUEST=VERIFY,ENVIR=CREATE,RELEASE=1.9,
      USERID=ACEEUSER,GROUP=ACEEGRP,PASSCHK=NO,SUBPOOL=(3)
Figure 2 shows the RACROUTE call that DFSMSrmm issues to create an ACEE for a user that is not defined to RACF. DFSMSrmm issues the call using a blank USERID value. DFSMSrmm issues this call in the address space of the command issuer or batch utility.
Figure 2. Creating an ACEE for a user not defined to RACF
RACROUTE REQUEST=VERIFY,ENVIR=CREATE,RELEASE=1.9,
      USERID=ACEEUSER,PASSCHK=NO,SUBPOOL=(3)
Parent topic: Using the SAF interface

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014