What are the minimum ACF2 authorization requirements for the callers of Workload Management services IWMSRDRS (Deregister a server for sysplex routing) and IWMSRSRG (Register a server for sysplex routing)?

book

Article ID: 106819

calendar_today

Updated On:

Products

CA ACF2 CA ACF2 - DB2 Option CA ACF2 for zVM CA ACF2 - z/OS CA ACF2 - MISC

Issue/Introduction



What are the minimum ACF2 authorization requirements for the callers of Workload Management services IWMSRDRS (Deregister a server for sysplex routing) and IWMSRSRG (Register a server for sysplex routing)?

Environment

Release:
Component: ACF2MS

Resolution

Starting with z/OS® V2R2, the minimum authorization requirements for the callers of Workload Management services IWMSRDRS (Deregister a server for sysplex routing) and IWMSRSRG (Register a server for sysplex routing) are as follows.

If resource BPX.WLMSERVER is defined in the FACILITY class, an unauthorized caller requires access authority to this resource or the IWM.SERVER.REGISTER resource in the FACILITY class. 

If the server to be registered or deregistered is not the home address it is an unauthorized caller, one of the following is required: 
  • Supervisor state. 
  • Program key mask (PKM) allowing at least one of the keys 0-7. 
  • The caller has at least READ authority to the resource IWM.SERVER.REGISTER in the FACILITY class. If this resource is not defined, READ authority to the FACILITY class resource BPX.WLMSERVER is required. 
Sample ACF2 resource rules follow.

ACF
SET RESOURCE(FAC)
RECKEY BPX ADD( WLMSERVER UID(UID string of unauth caller) SERVICE READ(ALLOW))
F ACF2,REBUILD(FAC)

SET RESOURCE(FAC)
RECKEY IWM ADD( SERVER.REGISTER UID(UID string of unauth caller) SERVICE READ(ALLOW))
F ACF2,REBUILD(FAC)


For more information, see IBM z/OS MVS Programming: Workload Management Services.