Controlling User Access to Side Information

Authority to administer individual entries in the side information file is provided by RACF® profiles in the APPCSI class. APPCSI profile names are of the form dbtoken.SYS1.symbolic-destination-name, where:

dbtoken is the database token associated with the side information file (1 through 8 characters).
symbolic_destination_name is the symbolic destination name (1 through 8 characters) associated with the side information entry.

For example:

RDEFINE APPCSI dbtoken.SYS1.symdname UACC(NONE)

APPC/MVS administrators need READ access to view side information entries and UPDATE access to create, modify, and delete side information entries.

For example, assuming TPA in Figure 1 is on MVS, and the side information file has a database token of TOKEN1, you could use the following commands to permit ADMIN01 to view the entry for SYMDES1:

RDEFINE APPCSI TOKEN1.SYS1.SYMDES1 UACC(NONE)

PERMIT TOKEN1.SYS1.SYMDES1 CLASS(APPCSI) ID(ADMIN01) ACCESS(READ)

You could use the following command to allow ADMIN01 to modify the entry for SYMDES1, for example, when moving TPB to another LU:

PERMIT TOKEN1.SYS1.SYMDES1 CLASS(APPCSI) ID(ADMIN01) ACCESS(UPDATE).

Users who use symbolic destination names on outbound allocate requests do not require access to APPCSI profiles.

When you are ready to start using the protection defined in the APPCSI profiles, the security administrator should activate the APPCSI class and activate SETROPTS RACLIST processing for the class. For example:

SETROPTS CLASSACT(APPCSI) RACLIST(APPCSI)

Any time an APPCSI profile is changed, SETROPTS RACLIST processing for the APPCSI class must be refreshed for the change to take effect:

SETROPTS RACLIST(APPCSI) REFRESH