This knowledge document presents an overview on how to implement the security interface between IDMS and RACF.

External Resource Names in IDMS equate to resource profiles in RACF. To implement external security on a resource, and to implement that using RACF, there are three parameters that must be specified in IDMS on the #SECRTT macro for that resource. Those are:

1. SECBY=EXTERNAL,
2. EXTCLS=<'name'>,
3. EXTNAME=('<res_name>')

This is an example of how to code the IDMS #SECRTT macro to secure SIGNON externally using RACF.

1. In the #SECRTT, code the following:
   #SECRTT TYPE=ENTRY,
RESTYPE=SGON,
SECBY=EXTERNAL,
EXTCLS='SYSTEM',
EXTNAME=(RESNAME)
1. SECBY=EXTERNAL indicates that the security for this resource will be verified at run-time using an external resource.
2. EXTCLS - Maps the IDMS resource type specified in the RESTYPE parameter to the resource class defined for this type in RACF or any other external security system. This example says that RESTYPE=SGON is assigned to a RACF class named SYSTEM defined in RACF.
3. EXTNAME - Using a set of predefined keywords, specifies the fields to be included in the external resource name. The order in which the keywords are specified is the order in which the fields will be included in the external resource name. Since EXTNAME defines the format of the resource name for external security requests, the format specified here must match the naming conventions for the corresponding resource class in the external security system.
2. When the external security manager is RACF, the EXTNAME in IDMS corresponds to the RACF PROFILE, and the EXTCLS corresponds to the RACF CLASS.
3. According to the IBM RACF documentation, the suggested syntax to use in RACF for creating a CLASS and PROFIL to correspond to this IDMS EXTNAME and EXTCLS is as outlined below.
1. Create a general resource profile, using the RDEFINE command to create a profile in a general resource class: RDEFINE class profile UACC(NONE)
   where:
   
   • class is the name of the general resource class
   • profile is the name of the new profile
2. Specify UACC(NONE) to ensure that there is no default access to the profile.
3. Permit access to this general resource, using the PERMIT command to create an access list for the general resource profile:
   PERMIT profile CLASS(class)
ID(user) ACCESS(authority)
   where:
   
   • profile is the name of the new profile
   • class is the name of the general resource class
   • user is the user (or group of users) that is being given access authority to the resource
   • authority is the level of authority that is being granted to the user
4. In the above RACF syntax, the value specified for the <profile> parameter must match the resource name in IDMS.
4. Following these guidelines, the RACF command to create the general resource profile that would correspond to the above example for IDMS SIGNON would be:
   RDEFINE SYSTEM SYST1600 UACC(NONE)
5. Similarly, the command to grant access to this general resource for IDMS SIGNON in RACF would be:
   PERMIT SYST1600 CLASS(SYSTEM)
ID(user01) ACCESS(READ)

Note that in the above examples, the value used for the "profile" parameter in the RACF commands is SYST1600. In IDMS the resource name for SIGNON is the system-identifier, which is the value specified in the SYSTEM ID parameter of the system generation on the SYSTEM statement. In this example, that is SYST1600.

To secure other IDMS resources in RACF, the IDMS resource (EXTNAME parameter) must be mapped to the RACF PROFILE. The PROFILEs seen in the RACF syntax can be associated with a RACF CLASS. The RACF CLASS and PROFILE values would by specified on the #SECRTT macro statement via the EXTCLS and EXTNAME respectively. The value coded for EXTCLS should have a corresponding CLASS in RACF. The naming convention of the PROFILEs associated with that CLASS in RACF must match the format of the EXTNAME coded on #SECRTT.