RACF to ACF2 translation for Db2 DSNTIJRA job passtickets section
search cancel

RACF to ACF2 translation for Db2 DSNTIJRA job passtickets section

book

Article ID: 256635

calendar_today

Updated On:

Products

ACF2 ACF2 - MISC ACF2 - z/OS

Issue/Introduction

The userid for the Db2 ADMT PROC requires PTKTDATA privileges granted by the RACF syntax in SDSNSAMP(DSNTIJRA).  What is the ACF2 equivalent of the DSNTIJRA RACF syntax for passtickets?

Resolution

//*********************************************************************
//* Allow use of PASSTICKETS for the DB2 admin scheduler started task  
//*********************************************************************
//DSNADSP EXEC DSNTSOB,COND=(4,LT)                                     
//SYSTSIN  DD  *                                                       
//*### Activate the RACF general resource class PTKTDATA:              
//         DD  *                                                       
  SETROPTS CLASSACT(PTKTDATA)                                          
  SETROPTS RACLIST(PTKTDATA)                                           
  SETROPTS GENERIC(PTKTDATA) GENCMD(PTKTDATA)      

SET CONTROL(GSO)
CHANGE INFODIR TYPES(R-RPTK) ADD
F ACF2,REFRESH(INFODIR)


//*### Define a profile for the admin scheduler startup proc, !DSNADMT!:
//         DD  *                                                        
  RDEFINE PTKTDATA IRRPTAUTH.!DSNADMT!.* UACC(NONE)                     
  RDEFINE PTKTDATA !DSNADMT! +                                          
          SSIGNON(KEYMASKED(CACD4AD6D79ECA71)) +                        
          UACC(NONE) APPLDATA('NO REPLAY PROTECTION')                   
  PERMIT  IRRPTAUTH.!DSNADMT!.* CL(PTKTDATA) +                          
          ID(!STARTUID!) ACCESS(UPDATE)                                 
  PERMIT  !DSNADMT!             CL(PTKTDATA) +                          
          ID(!STARTUID!) ACCESS(UPDATE)                                 
                                                                        
  SETROPTS RACLIST (PTKTDATA) REFRESH                                   
  SETROPTS RACLIST (FACILITY) REFRESH                                   
  SETROPTS REFRESH GENERIC(*) RACLIST(PTKTDATA)                         
//*  

SET PROFILE(PTKTDATA) DIVISION(SSIGNON)
INSERT !DSNADMT! SSKEY(CACD4AD6D79ECA71) MULT-USE
F ACF2,REBUILD(PTK),CLASS(P)  

SET R(PTK)
RECKEY IRRPTAUTH ADD( !DSNADMT!.- UID(!STARTUID!) SERVICE(READ,UPDATE) ALLOW)
RECKEY !DSNADMT! ADD( - UID(!STARTUID!) SERVICE(READ,UPDATE) ALLOW)
F ACF2,REBUILD(PTK)

**Verify your GSO OPTS setting for PTKRESCK|NOPTKRESCK. This option specifies whether to make a FASTAUTH resource validation check to verify that a user has the appropriate authority to generate a PassTicket for a specific user and application. If NOPTKRESCK is specified, this section can be ignored. If PTKRESCK is specified, then the following will need to be added: 

SET R(PTK)
RECKEY PTKTGEN ADD( applid.userid UID(!STARTUID!) ALLOW) 
F ACF2,REBUILD(PTK)