724 Converting to DFSMSrmm from CA-1
//* ====
//* To execute this job you need the RACF SPECIAL attribute
//* ****************************************************************** *
//STEP01 EXEC PGM=IKJEFT01
//SYSPRINT DD SYSOUT=*
//SYSTSPRT DD SYSOUT=*
//SYSTSIN DD *
/* ***************************************************************** */
/* CREATE AN ENTRY IN THE DYNAMIC STARTED PROCEDURE TABLE FOR DFRMM */
/* ***************************************************************** */
RDEFINE STARTED DFRMM.* -
STDATA(USER(DFRMM) -
GROUP(SYS1) -
PRIVELEGED(NO) -
TRACE(NO) -
TRUSTED(NO) )
C.1.2.2 ICHRIN03 started procedures table
We do not recommend using the RACF started procedures table (ICHRIN03).
The preferred way of adding started procedure users to the RACF database is by
using the STARTED class.
C.1.3 Define DFSMSrmm resources to RACF
Define RACF FACILITY class profiles to control access to DFSMSrmm functions
protected by the DFSMSrmm resource. The DFSMSrmm resources you protect
with RACF profiles in the FACILITY class each have an entity name prefixed with
STGADMIN.EDG. Table C-1 lists the DFSMSrmm resources.
If you do not protect DFSMSrmm resources with RACF, an equivalent security
product, or you do not have a security product in place, DFSMSrmm provides
control for some resources as defined in the DFSMSrmm Implementation and
Customization Guide, SC26-4932.
Table C-1 DFSMSrmm resources and protected functions
DFSMSrmm resource Function protected
STGADMIN.EDG.FORCE Use of the RMM FORCE parameter that can be
used in the ADDDATASET, CHANGEDATASET,
CHANGEVOLUME and DELETEDATASET
subcommand to changing information recorded by
DFSMSrmm during O/C/EIV processing
STGADMIN.EDG.HOUSEKEEP Use of DFSMSrmm inventory management
functions.
Appendix C. Security topics 725
STGADMIN.EDG.HOUSEKEEP.REPEXT Use to authorize the creation of report extract files
when no other inventory management function is
requested.
STGADMIN.EDG.IGNORE.TAPE.volser Use of duplicate volume serial numbers and
ignored volumes.
Recommendation:
Do not assign an access level to the
STGADMIN.EDG.IGNORE.TAPE.RMM.volser
resource to any specific user group. Instead, wait
until a tape volume that must be ignored by
DFSMSrmm is identified, to define a resource
granting a user or user group the needed access
level. Once the volume is no longer needed, delete
the resource.
STGADMIN.EDG.IGNORE.TAPE.RMM.volser Use of duplicate volume serial numbers and
ignoring volumes if the volume is defined to
DFSMSrmm.
Recommendation:
Do not assign an access level to the
STGADMIN.EDG.IGNORE.TAPE.RMM.volser
resource to any specific user group. Instead, wait
until a tape volume that must be ignored by
DFSMSrmm is identified, to define a resource
granting a user or user group the needed access
level. Once the volume is no longer needed, delete
the resource.
STGADMIN.EDG.IGNORE.TAPE.NORMM.volser Use of duplicate volume serial numbers and
ignoring volumes if the volume is not defined to
DFSMSrmm.
STGADMIN.EDG.LABEL.volser Creation of standard tape labels
STGADMIN.EDG.LISTCONTROL Use of the RMM LISTCONTROL subcommand to
display DFSMSrmm CDS control record
information and EDGRMMxx PARMLIB settings
STGADMIN.EDG.MASTER Access to information in the DFSMSrmm CDS
STGADMIN.EDG.NOLABEL.volser Creation of tapes without labels
STGADMIN.EDG.OPERATOR Use of the initialize and erase function
STGADMIN.EDG.OWNER. owner Access to owned resources. DFSMSrmm checks
this entity only if the command issuer is not the
owner of the resource or does not have CONTROL
access to STDADMIN.EDG.MASTER
DFSMSrmm resource Function protected
Get Converting to DFSMSrmm from CA-1 now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
