By default, any programs that run in supervisor state or PKM allowing keys 0 to 7 can use the IXLCONN macro to establish XES connections to the XCF catalog and note pad structures. However, the data in these structures is managed solely by XCF, and allowing other programs to access the data directly through established XES connections could cause serious data integrity issues. IBM suggests that installations use Security Authorization Facility (SAF) to restrict access to the XCF catalog and note pad structures. No additional action is needed to grant XCF access. Note that restricting access to a note pad structure does not prohibit a program from accessing the note pads hosted in that note pad structure. See Authorizing XCF note pad requests for more information on defining security profiles to control access to XCF note pads.

The following steps describe how the RACF® security administrator can define RACF profiles to control the use of XCF catalog and note pad structures:

1. Define resource profile IXLSTR.structure-name in the FACILITY class. The Universal Access Authority (UACC) should be set to NONE to prohibit access from any programs other than XCF.
2. Make sure the FACILITY class is active, and generic profile checking is in effect. If in-storage profiles are maintained for the FACILITY class, refresh them.

For example, if an installation wants to restrict access to the XCF catalog structure, the security administrator can use the following commands:

      RDEFINE FACILITY IXLSTR.SYSXCF_NPCATALOG UACC(NONE)
      SETROPTS CLASSACT(FACILITY)

See z/OS Security Server RACF Security Administrator's Guide for information about RACF.