Setting up security for LICON data sets
This step is optional. If you want to protect the LICON data sets with RACF®, complete this step.
About this task
The following procedure provides a brief overview of the security setting for LICON data sets.
For more information about the security setting of the started tasks, see the topics that describe how to associate started procedures and jobs with user IDs in the z/OS® Security Server RACF System Programmers Guide and in the z/OS Security Server RACF Security Administrators Guide.
Procedure
To use RACF to protect
the LICON data sets, define data set profiles for the LICON data sets.
Also, because LICON data sets are accessed in each environment, consider
the following requirements in both IMS™ online
environment and batch environment.
- IMS online environment
- For IMS online processing,
access to the LICON data set is done by the DBRC region. In this case,
the DBRC region must be assigned a user ID, preferably by using the RACF STARTED class. This assignment
can also be done by using the RACF started
task table (ICHRIN03) or the USER= and PASSWORD= values on the DBRC
job or the task JCL. Give UPDATE access authority to the LICON data
set for the user ID assigned to the DBRC region.
The following list contains an example of the statements that are used to create and enable LICON data set protection by using RACF.
AG licongrp AU liconusr DFLTGRP(licongrp) RDEF STARTED dbrcrgn.* STDATA( USER(liconusr) GROUP(licongrp)) ADDSD liuhlq.licon UACC(NONE) PE liuhlq.licon ID(licongrp) ACCESS(UPDATE)- AG licongrp
- Creates a RACF group named licongrp.
- AU liconusr DFLTGRP(licongrp)
- Creates a RACF user ID of liconusr and assigns the default group licongrp.
- RDEF STARTED dbrcrgn.* STDATA( USER(liconusr) GROUP(licongrp))
- Defines the STARTED class profile, which will assign the user ID to the dbrcrgn procedure. This statement assumes that the PDS member name of the procedure that is started is dbrcrgn. This statement assigns user ID liconusr to the started procedure.
- ADDSD liuhlq.licon UACC(NONE)
- Defines a data set profile for the LICON data set.
- PE liuhlq.licon ID(licongrp) ACCESS(UPDATE)
- Gives the licongrp group UPDATE access to the LICON data set.
- Batch environment
- The user ID created for the DBRC online region cannot be used because jobs can be submitted by many different users. The user ID will be used if the ID is correctly assigned through the use of the RACF STARTED class by coding entries for job names in the STARTED class and associating those entries with the user ID. However, the STARTED class is used only when the batch jobs are started with the MVS™ START command. Jobs submitted to a JES reader will not invoke a call to the STARTED class. Therefore, they might not be assigned a user ID that allows appropriate access to the LICON data set. In this case, all users authorized to run batch jobs must be identified and connected to a group that has UPDATE access to the LICON data set.