|
- For function codes get_key and put_key, the user ID specified
in the RACF_entity parameter must have a DCE segment.
- For function code get_ldap_pw, the LDAPBIND Class profile specified
in the RACF_entity parameter must have a PROXY segment previously
created through a RDEFINE or RALTER command. If the RACF_entity is
not specified, the IRR.PROXY.DEFAULTS profile in the FACILITY Class
must have a PROXY segment previously created through a RDEFINE or
RALTER command.
- For callers not running in system key or supervisor state, the
use of the R_dcekey service is authorized by FACILITY class resources:
- The ACEE associated with the address space is used to determine
the caller. If the caller is running in a clean environment with a RACF® user or group that has at
least READ authority to the BPX.SERVER resource, use of R_dcekey
is permitted and no subsequent access checks are made.
- Otherwise, the current TCB is checked for an ACEE. If one is found,
it will be used to determine the caller. If there is no ACEE associated
with the current TCB, the ACEE associated with the address space is
used to determine the caller. If the caller is running in a clean
environment with a RACF user
or group that has at least READ authority to the IRR.RDCEKEY resource,
use of R_dcekey is permitted.
If the FACILITY class is inactive,
or the above resources are not defined, only servers running in system
key or supervisor state may use the R_dcekey service. For more information
about running in a clean environment, see the discussion of Program
Control in the z/OS Security Server RACF Security Administrator's Guide.
|