RACF considerations for FPO

If you are planning to use security validation, such as those provided by RACF®, you need to activate the security function.

Before any FPO processing is run, RACF verifies that the user ID of the IFP utility is authorized to class IMSTxxx to run the required function, where xxx can be OPC, ODE, OAE, or ODM. For OER, if you are planning to use security validation when the Area Sensor or OPC is used, specify OPC for xxx. If validation fails, processing ends.

The following call is issued by the security module to validate that the user has sufficient authority to access the utility of FPO:

RACROUTE REQUEST=AUTH,APPL='FPX',ATTR=READ,
         CLASS='IMSTxxx',ENTITYX='imsid.dbname.areaname'

Note: The high-level qualifier of the ADS does not need to be the same as the ENTITYX parameter 'imsid.dbname.areaname'.

To activate security, you need to run two tasks: activate CLASS IMSTxxx and set up the appropriate RACF permit list.

If RACF is being used, a system IPL is required to activate the updated class descriptor table.

The following figure is an example of the class descriptor entries, which must be added to the class descriptor table maintained by the RACF ICHERCDE utility.

Figure 1. Example of the class descriptor entries for an FPO utility

 IMSTxxx ICHERCDE CLASS=IMSTxxx, +
               ID=128,                                                 +
               MEMBER=IMSMxxx,                                         +
               MAXLNTH=128,                                            +
               OTHER=ANY,                                              +
               POSIT=25,                                               +
               OPER=NO,                                                +
               RACLIST=DISALLOWED,                                     +
               GENLIST=DISALLOWED,                                     +
               DFTUACC=NONE
IMSMxxx ICHERCDE CLASS=IMSMxxx,                                        +
               ID=129,                                                 +
               GROUP=IMSTxxx,                                          +
               MAXLNTH=128,                                            +
               OTHER=ANY,                                              +
               POSIT=25,                                               +
               OPER=NO,                                                +
               RACLIST=DISALLOWED,                                     +
               GENLIST=DISALLOWED,                                     +
               DFTUACC=NONE

The following figure shows an example provided to help you in setting up your RACF permit list for an FPO utility.

Remember, if you update the class descriptor table, you must IPL the system to activate it.

Figure 2. Example to set up the FPO RACF permit list

RDEFINE IMSTxxx imsid.dbname.areaname0  UACC(NONE)
RDEFINE IMSTxxx imsid.dbname.areaname1  UACC(NONE)
RDEFINE IMSTxxx imsid.dbname.areaname2  UACC(NONE)  

PERMIT imsid.dbname.areaname0 CLASS(IMSTxxx) ID(userid1) ACCESS(UPDATE)
PERMIT imsid.dbname.areaname0 CLASS(IMSTxxx) ID(userid2) ACCESS(UPDATE)
PERMIT imsid.dbname.areaname1 CLASS(IMSTxxx) ID(userid1) ACCESS(UPDATE)
PERMIT imsid.dbname.areaname1 CLASS(IMSTxxx) ID(userid2) ACCESS(UPDATE)
/*