z/OS Security Server RACF Callable Services
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


RACF authorization

z/OS Security Server RACF Callable Services
SA23-2293-00

  1. If the function_code indicates that a certificate is to be registered or deregistered, initACEE will perform the following authority checks:
    • To register a certificate with the current user ID, the caller must be RACF® SPECIAL or have at least READ authority to the IRR.DIGTCERT.ADD resource in the FACILITY class.
    • To deregister a certificate with the current user ID, the caller must be RACF SPECIAL or have at least READ authority to the IRR.DIGTCERT.DELETE resource in the FACILITY class.
    • To register a certificate as a CERTAUTH certificate, the caller must be RACF SPECIAL or have at least CONTROL authority to the IRR.DIGTCERT.ADD resource in the FACILITY class.
  2. If the function_code indicates that an ACEE is to be created or a certificate is to be queried and the service determines that the user ID to use is specified in the hostIdMappings extension of the input certificate, the caller's authority to the IRR.HOST.(host-name) resource in the SERVAUTH class is checked. (The value for host-name is specified in the hostIdMappings extension.) The resource must exist and the caller must have READ authority to it, otherwise the extension is ignored.
Note: To determine the caller, the current TCB is checked for an ACEE. If one is found, the authority of that user is checked. If there is no ACEE associated with the current TCB, the ACEE associated with the address space is used to locate the user ID.
Parent topic: initACEE (IRRSIA00): Initialize ACEE

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014