- We are making some changes in RACF external security and wanted to ask for your help. Right now, anyone who logs on to mainframe Dispatch can see any report in the system. Can security be changed at the RACF level to restrict who can see reports in the mainframe? 

- In DocView, users can see only reports that are associated with a recipient id. Can this be set up on the mainframe?

- We are currently looking at these four security  classes (PA@EL, CA@MD, RE@IPID and CA@EPORT). I tried looking in the manual and it looks like maybe RECIPID Definitions can restrict users based on recipient id? Is this correct? and does this work on the mainframe?

- Also we have some users who can access the system but do not appear in the Dispatch 9.C definition records. Do users show up in 9.C based on how they are set up in RACF?

Release : 11.7

Component : Dispatch

Regarding your Dispatch security questions we would answer as follows, in order of relevance.

* I tried looking in the manual and it looks like maybe RECIPID Definitions can restrict users based on recipient id? Is this correct? and does this work on the mainframe? 

- Understand first that Dispatch provides it own inherent way of securing what reports a user will be able to view when they sign on to Dispatch. This inherent security functionality is known as "END USER ONLINE VIEWING SECURITY" and it is invoked when a user enters online viewing via option B.3 from the main menu, regardless of whether or not you've configured Dispatch for INTERNAL or EXTERNAL security!!

Q1. In DocView, users can see only reports that are associated with a recipient id. Can this be set up on the mainframe?

Answer 1. Docview uses Dispatch's "END USER ONLINE VIEWING SECURITY" functionality to determine what Dispatch reports a user will be able to see. So yes, this is ALREADY set up via mainframe Dispatch's "END USER ONLINE VIEWING SECURITY". Docview itself does not invoke it's OWN security to determine who can see what reports. 

Q2. Also we have some users who can access the system but do not appear in 9.C. Do users show up in 9.C based on how they are set up in RACF?

Answer 2: No. The definitions that you see in 9.C are the "END USER ONLINE VIEWING SECURITY" definitions that are used to link RECIPIENTS to a users logon USERID. These 9.C definitions have nothing to do with securing ACCESS (who can logon) to Dispatch . They are there only to define who can see what reports when they go into online viewing via option B.3. Or, through WebViewer.

Q3. Right now, anyone who logs on to mainframe Dispatch can see any report in the system?

Answer 3: If you are talking about report "in online viewing" then this is because they are allowed to go into online viewing via option B.1. This being said, you can FORCE your users into online viewing through option B.3 to invoke "END USER ONLINE VIEWING SECURITY". And, you can do this regardless of whether or not you've configured Dispatch for INTERNAL or EXTERNAL security. This is done by way of assigning every user an INSTALLATION CODE of CARCP,X on their 9.C VSGMU235 screen.  
 
Q4. Can security be changed at the RACF level to restrict who can see reports in the mainframe? 

Answer 4: Yes, but it's not necessary to secure reports in online viewing using RACF. To use RACF for securing reports at the REPORT NAME/JOBNAME level, you would use the CAREPORT class (CA@EPORT) and CARPT= resource where you would need to define CARPT={( DEF,VIEW,PCUP,PCDN ) | NO } statements in RACF. See Chapter 8 in the System Programmers Guide and the RACF examples that we provide if you need more information on how to do this.