z/OS DFSMSdfp Storage Administration
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Protecting ISMF functions

z/OS DFSMSdfp Storage Administration
SC23-6860-01

You can use RACF® authorization to limit access to the following categories of ISMF functions:

  1. The entire ISMF component
  2. The individual ISMF applications:
    • Profile
    • Data Set
    • DASD Volume
    • Mountable Optical Volume
    • Management Class
    • Data Class
    • Storage Class
    • Storage Group
    • Automatic Class Selection
    • Control Data Set
    • Aggregate Group
    • Library Configuration
    • Drive Configuration
    • Data Collection
    • Copy Pool
    • List
    • Mountable Tape Volume
    • Tape Library
  3. The ISMF line operators
  4. The ISMF commands

ISMF relies on the RACF program control feature to protect many of its applications. The RACF program control feature prevents unauthorized end users from running selected ISMF programs. To use the feature, you must activate the RACF Program Class and define your selected ISMF programs to RACF.

With RACF program control you can set up authorization levels for each of these categories, varying the level within a particular category to suit the needs of your installation. Individual end users can execute an ISMF function if one of the following conditions is true:
  • They are authorized to execute the corresponding load module.
  • Their RACF profile contains the OPERATIONS attribute.
  • Their group is authorized to execute the load module.
  • RACF is disabled or the program control feature is turned off.
  • The universal access authority (UACC) for the load module is READ or greater, making the load module available to anyone who can access ISMF.
Recommendation: Protect these functions with RACF program control to make sure that only particular users can use the storage administrator applications and functions. Because a TSO/E user can change his user mode level, as this information is contained in the user's ISPF profile, protect the functions at a different level than user mode level.
The RACF program resource class allows the security administrator to protect various ISMF applications and functions with program control. This is achieved by controlling the access to load modules which are invoked by:
  • ISMF Applications
  • ISMF Line Operators
  • ISMF Commands
The load modules reside in the following libraries:
  • SYS1.DGTLLIB for DFSMSdfp/ISMF
  • SYS1.DGTLLIB for DFSMSdss/ISMF
  • SYS1.DFQLLIB for DFSMShsm

If the installation moves these modules to another load library, the installation-defined load library must be used in the program protection.

To protect a load module, use the RDEFINE RACF command. The syntax of this command is: 
    RDEFINE PROGRAM mod-name OWNER(owner of profile)          +
            UACC(NONE) ADDMEM('dsn of loadlib'/volser/NOPADCHK)

See z/OS Security Server RACF Security Administrator's Guide for a detailed description of how to use the RACF program control features.

Parent topic: Protecting the Storage Management Subsystem

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014