Plan for HWIREXX helper program restriction for z/OS BCPii
Description
Starting with z/OS V2R1, users of the z/OS BCPii System REXX helper program HWIREXX are required to have at least READ authority to the FACILITY class resource HWI.HWIREXX.execname as defined in the security product. This function is provided in APAR OA45932 with PTF UA75120.
Table 1 provides more details about the migration action. Use this information to plan your changes to the system.
| Element or feature: | BCP. |
|---|---|
| When change was introduced: | z/OS V2R1 with APAR OA45932. |
| Applies to migration from: | z/OS V2R1 without APAR OA45932 applied, and z/OS V1R13. |
| Timing: | Before the first IPL of z/OS V2R2. |
| Is the migration action required? | Yes, if you use the BCPii helper program HWIREXX. |
| Target system hardware requirements: | None. |
| Target system software requirements: | None. |
| Other system (coexistence or fallback) requirements: | None. |
| Restrictions: | The security product definitions as described need to be implemented to restrict use of the HWIREXX helper program. |
| System impacts: | None. |
| Related IBM® Health Checker for z/OS® check: | None. |
Steps to take
Follow these steps:
- To allow you to run your BCPii System REXX exec using the HWIREXX
helper program, you must have at least READ authority to the FACILITY
class resource HWI.HWIREXX.execname, where execname specifies
a 1 to 8 character System REXX exec to be executed by the HWIREXX
helper application. Also, BCPii requires the FACILITY class to be
RACLIST-specified. The RACF syntax is as follows:
RDEFINE FACILITY HWI.HWIREXX.execname UACC(NONE) PERMIT HWI.HWIREXX.execname CLASS(FACILITY) ID(userid) ACCESS(READ) SETROPTS RACLIST(FACILITY) REFRESHIf the caller does not have sufficient SAF authorization to run the HWIREXX program, HWIREXX return code 112 (in decimal) is returned.
Reference information
For more information, see z/OS MVS Programming: Callable Services for High-Level Languages.