Much of the RACF® activity dealing with protected CICS® resources
involves creating, changing, and deleting general resource profiles.
Note: - The commands described here, and the operands used in the examples, are
not exhaustive.
- The sequences of commands shown here demonstrate one way to accomplish
a given task. There may be other sequences of commands that you can use.
For full details of RACF commands, refer to
z/OS Security
Server RACF Command Language Reference
- Creating general resource profiles
- To create a general resource profile, use the RDEFINE command. Generally,
once you have created a profile, you then create an access list for the profile
using the PERMIT command.
In this example, the three RDEFINE
commands define three profiles named CEMT, CEDA, and CEDB in the TCICSTRN
resource class. The three PERMIT commands allow two groups of users to access
each transaction:
RDEFINE TCICSTRN CEMT UACC(NONE)
NOTIFY(sys_admin_userid)
RDEFINE TCICSTRN CEDA UACC(NONE)
NOTIFY(sys_admin_userid)
RDEFINE TCICSTRN CEDB UACC(NONE)
NOTIFY(sys_admin_userid)
PERMIT CEMT CLASS(TCICSTRN) ID(group1, group2) ACCESS(READ)
PERMIT CEDA CLASS(TCICSTRN) ID(group1, group2) ACCESS(READ)
PERMIT CEDB CLASS(TCICSTRN) ID(group1, group2) ACCESS(READ)
- Creating a resource group profile
- To define a profile in a resource grouping class, use the RDEFINE command
with the ADDMEM operand to add resources as members of the group. Generally,
once you have created a profile, you then create an access list for the profile
using the PERMIT command.
In this example, the RDEFINE command defines
a resource group profile named CICSTRANS in the GCICSTRN resource grouping
class. The PERMIT command allows two groups of users to access all transactions
in the profile.
RDEFINE GCICSTRN CICSTRANS UACC(NONE)
ADDMEM(CEMT, CEDA, CEDB)
NOTIFY(sys_admin_userid)
PERMIT CICSTRANS CLASS(GCICSTRN) ID(group1, group2) ACCESS(READ)
- Creating a general resource profile
- Use the RDEFINE command to create a profile in a general resource class:
RDEFINE class profile UACC(NONE)
where: - class is the name of the general resource class
- profile is the name of the new profile
Specify UACC(NONE) to ensure that there is no default
access to the profile.
- Permitting access to a general resource
- To permit access to a general resource,
use the PERMIT command to create an access list for the general resource profile:
PERMIT profile CLASS(class)
ID(user) ACCESS(authority)
where: - profile is the name of the new profile
- class is the name of the general resource class
- user is the user (or group of users) that is
being given access authority to the resource
- authority is the level of authority that is
being granted to the user
- Removing an entry from an access list
- To remove
the entry for a user or group from an access list, issue the PERMIT command
with the DELETE operand instead of the ACCESS operand:
PERMIT profile_name CLASS(class_name)
ID(user|group) DELETE
- Changing a profile
- If you want to change a profile (for example, changing UACC from NONE
to READ), use the RALTER command:
RALTER class_name profile_name UACC(READ)
- Deleting a profile
- To delete a profile, use the RDELETE command. For example:
RDELETE class_name profile_name
- Copying from a profile
- You can copy an access list from one profile to another. To do so, specify
the FROM operand on the PERMIT command:
PERMIT profile_name CLASS(class_name)
FROM(existing_profile_name) FCLASS(class_name)
You
can copy information from one profile to another. To do so, specify the FROM
operand on the RDEFINE or RALTER command:
RDEFINE class_name profile_name
FROM(existing-profile_name) FCLASS(class_name)
Note: Do
not plan to do this if you are using resource group profiles. RACF does not
copy the members (specified with the ADDMEM operand) when copying the profile.
Also, there are other ways in which the new profile might not be an exact
copy of the existing profile. For example, RACF places the userid of the resource
profile owner in the access list with ALTER access authority. For complete
information, see the description of the FROM operand on the appropriate commands
in the z/OS Security Server RACF Command Language Reference.
- Listing profiles in a class
- To list the names of profiles in a particular class, use the SEARCH command.
The following command lists profiles in the TCICSTRN class:
SEARCH CLASS(TCICSTRN)
The
following command lists all profiles and their details in the GCICSTRN class:
SEARCH CLASS(GCICSTRN)
RLIST GCICSTRN * ALL
For information on resource classes, see RACF general resource profiles. Note: If
you are a group-SPECIAL user (not system-SPECIAL), the SEARCH command might
not list all the profiles that exist in a class. To get a complete list of
profiles in a class, you must have at least the authority to list each profile.
For further information, see the description of RACF requirements for the
SEARCH command in the
z/OS Security Server RACF Command Language Reference,
and
Which profile is used to protect the resource?.
- Activating protection for a class
- To begin protecting all the resources protected by profiles in a RACF
class, activate that class by issuing
the SETROPTS command with CLASSACT specified:
SETROPTS CLASSACT(class_name)
- Defining a generic profile
- Before you can use RDEFINE to define a generic profile (that is, one that
uses an asterisk (*), double asterisk (**), ampersand (&), or percentage
(%) character), first issue the command:
SETROPTS GENERIC(class_name)
- Deactivating protection for a class
- Deactivating a class turns off protection without disturbing the profiles
themselves. If a class is deactivated, RACF issues a "not protected" return
code to CICS for all resources in that class. CICS treats this response
as “access denied”. To deactivate a RACF class, issue the SETROPTS command
with NOCLASSACT specified:
SETROPTS NOCLASSACT(class_name)
- Determining active classes
- To determine which RACF classes are currently active, issue the SETROPTS
command with LIST specified:
SETROPTS LIST
Activating support for mixed case passwords
To turn support for mixed case passwords on, issue the SETROPTS command
with PASSWORD specified:SETROPTS PASSWORD(MIXEDCASE)
To
turn support for mixed case passwords off, issue the SETROPTS command:SETROPTS PASSWORD(NOMIXEDCASE)
Mixed
case passwords are supported in z/OS Security Server (RACF) 1.7 and above.