z/OS MVS Setting Up a Sysplex
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Authorizing XCF note pad requests

z/OS MVS Setting Up a Sysplex
SA23-1399-00

The XCF Note Pad interface supports both authorized and unauthorized callers. If the calling program runs unauthorized, the installation must define a System Authorization Facility (SAF) profile that grants the program access to the note pad. If the calling program runs authorized, XCF calls SAF to determine whether the program has been granted the access needed to issue the note pad requests. If SAF is not installed, or the installation has not defined a SAF profile for the note pad, XCF rejects the request made by an unauthorized caller and permits the request to go forward for an authorized caller.

If the z/OS Security Server, which includes RACF, or another security product is installed, the security administrator can define profiles that control the use of the XCF note pads. To define appropriate security profiles, the security administrator needs to know the names of the note pads and the types of IXCNOTE requests the exploiter wishes to make. For example, a program that needs to create a note pad would need CONTROL access, whereas a program that only reads notes in the note pad needs only READ access. The installation and configuration documentation of the exploiter typically contains information about the names of the note pads (or how to define them) and the types of access required.

The following steps describe how the RACF® security administrator can define RACF profiles to control the use of XCF note pads:

  1. Define resource profile IXCNOTE.owner.application in the FACILITY class.
  2. Specify the users who have access to the note pad using the RACF PERMIT command.
  3. Make sure the FACILITY class is active, and generic profile checking is in effect. If in-storage profiles are maintained for the FACILITY class, refresh them.

For example, if an installation wants to permit an application with an identifier of SUBSYS1 to create an XCF note pad named NPOWNER1.NPAPP1.NPFUN1.NPQUA1, the security administrator can use the following commands:

Start of change
      RDEFINE FACILITY IXCNOTE.NPOWNER1.NPAPP1 UACC(NONE)
      PERMIT IXCNOTE.NPOWNER1.NPAPP1 CLASS(FACILITY) ID(SUBSYS1) ACCESS(CONTROL)
      SETROPTS CLASSACT(FACILITY)
End of change

You can specify RACF user IDs or RACF group IDs on the ID keyword of the PERMIT command. If RACF profiles are not defined, the default allows any authorized user or program (supervisor state and PKM allowing key 0-7) to issue requests for the note pad.

See z/OS Security Server RACF Security Administrator's Guide for information about RACF.

Parent topic: Start of changePlanning XCF Note Pad Services in a sysplex End of change

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014