Setting up installation-defined classes

To set up installation-defined classes, work with your RACF system programmer to add new class descriptors to the installation-defined part (module ICHRRCDE) of the RACF class descriptor table (CDT). For an example of how to add installation-defined classes to the CDT, see Customizing security processing.

All installation-defined classes defined in the CDT must also be defined in the MVS™ router table. This is because the MVS router checks any class used in a router request to determine if it actually exists. If it does not, no request is sent to RACF. To define classes to the MVS router, add them to ICHRFR01, the user-modifiable portion of the MVS router table, as described in the z/OS Security Server RACROUTE Macro Reference. Also see Specifying user-defined resources to RACF.

When setting up installation defined classes, we recommend that you copy the IBM-supplied defaults from the CDT, an example of which is in the z/OS Security Server RACF Macros and Interfaces manual. You will then need to change the name, group or member name, POSIT number, and ID. See the description of the ICHERCDE macro in the z/OS Security Server RACF Macros and Interfaces manual for details of valid values for these operands. See the same manual for information about creating installation-defined resource classes. For an example of how to add resource classes, see the IBM-supplied sample, DFH$RACF, which is in CICSTS31.CICS.SDFHSAMP.

For CICS resources, the first character of the resource class name is predefined by CICS, consistent with the default resource class name. You can define the second through eighth characters of the resource class name, but for ease of administration it is recommended that you specify the same characters for both the member and group class. The seven characters specified for the member class are the part of the resource class name you define to CICS in the various Xname parameters, except for the following: You should avoid using the letters "CICS" in the second through fifth characters in any class name you define. RACF requires that at least one of the characters in the classname should be a national or numeric character.