Establishing authorization for VSAM RLS

To establish authorization to access VSAM RLS resources, assign a RACF attribute of PRIVILEGED or TRUSTED to the VSAM RLS server address space, SMSVSAM.

With PRIVILEGED, most RACROUTE REQUEST=AUTH macro instructions done for SMSVSAM are considered successful, without any checking being performed. The checking done for the CHKAUTH operand on the RACROUTE REQUEST=DEFINE macro instruction is also bypassed. All other RACF processing occurs as usual. RACF does not:

Call any exit routines
Generate any SMF records
Update any statistics.

TRUSTED is similar to PRIVILEGED. Most RACROUTE REQUEST=AUTH macro instructions that are done for SMSVSAM are considered successful, without any checking being performed. RACF does not:

Call any exit routines
Update any statistics.

RACF does generate SMF records that are based on the audit options specified in SETROPTS LOGOPTIONS and the UAUDIT setting in the USER ID profile.

If the VSAM RLS server address space is neither PRIVILEGED nor TRUSTED, grant the SMSVSAM server the appropriate access authorization:

Add SMSVSAM with the STARTED attribute if you are using a started task group.
Authorize SMSVSAM for update access to SYS1.DFPSHCDS.* data sets. If you protect SYS1.* data sets be sure SMSVSAM is able to access SYS1.DFPSHCDS.* for update.
If you protect volumes that contain RLS-accessed data then authorize SMSVSAM for update access to the volume profiles.
To use the access method services SHCDS command, you must be authorized to the STGADMIN.IGWSHCDS.REPAIR resource in the FACILITY class. The SHCDS command lists SMSVSAM recovery associated with subsystems and spheres, and controls that recovery.

You should also ensure that only those users who need the capability, such as CICS subsystems, have access to register a subsystem name to SMSVSAM. Use the RACF subsystem name class to restrict this access. For more information, refer to CICS Transaction Server for z/OS Release Guide, at CICS Transaction Server for z/OS Information Center.