RACF® considerations
Before using the subordinate address space or stripe data sets, make sure that you have established proper security authorizations and access.
For subordinate address spaces
The subordinate address space's user ID is obtained in two phases, as described in the following list:
- Before the IMS™ Index Builder code
is dispatched in the subordinate address space and has the opportunity
to set its security identity, the operating system attempts to use
the user ID from the profile definitions in the security system's
STARTED class as the user ID for these started tasks.
If you use the IMS Index Builder default job names, you can use the following RDEFINE to specify the user ID. The STARTED class is RACLIST'ed and must be refreshed after you make updates.
RDEFINE STARTED IIU*.* STDATA(USER(userid)) SETROPTS RACLIST(STARTED) REFRESHIf you use the IIURPRMS module to override the default job names, you must define the STARTED class profiles that correspond to the installation names.
Defining the IMS Index Builder load library to the security system with UACC(READ) is recommended so that all user IDs have access to the STEPLIB. If you do not want to define UACC(READ), you must set READ access to the load library for the user ID or for the group associated with the STARTED class profile.
Improper security system definitions result in errors when opening STEPLIB during subordinate address space initialization. The subordinate address space can fail with an ABENDS913, or the master address space can terminate by issuing an IIUB050E error message with REASON=799.
- After the IMS Index Builder code is dispatched in the subordinate address space, IMS Index Builder processing determines the user ID under which the master address space runs. The subordinate address space changes its own initial user ID to match that of the master address space. Once this change occurs, the subordinate address space runs with the same security authorities as the master.
For stripe data sets
IMS Index Builder uses stripe data sets to pass data between its address spaces; the data includes the WTO messages, the sort messages, the index records, and the duplicate keys. The stripe data sets exist only for the duration of that particular IMS Index Builder run.
The user ID associated with the master address space requires ALTER access to these data sets. You associate ALTER access to the stripe data sets by defining an IIU.STRIPE.* DATASET profile with UACC(ALTER). If your installation security policies do not allow UACC(ALTER), you must add each user that executes IMS Index Builder to this DATASET profile's access list with ALTER access.
By default, stripe data sets are allocated with the high-level qualifiers IIU.STRIPE. You can override this default by using the IIURDFLT CLASS setting in the IIURPRMS parameter module. However, if you override the default high-level qualifiers, you must define a DATASET profile corresponding to the installation's qualifiers.