Is RACF CLAUTH required for CA-1?
search cancel

Is RACF CLAUTH required for CA-1?

book

Article ID: 265670

calendar_today

Updated On:

Products

CA 1 Flexible Storage

Issue/Introduction

Does CA 1 require RACF CLAUTH(USER) and if so, what functionality does it impact?

Environment

Release : 14.0

Resolution

Define CA 1 Resources to RACF

The RACF RDEFINE command defines to RACF all resources belonging to the new classes specified in the Class

Descriptor table. Limit this command to the RACF Security Administrator. The following example shows how to define new resources to RCAF:

RDEFINE CA@MD (L0CLEAN) UACC(NONE)

RDEFINE CA@MD (L0CHECKI) UACC(NONE)

RDEFINE CA@MD (L0CHECKO) UACC(NONE)

RDEFINE CA@MD (L0DELETE) UACC(NONE)

RDEFINE CA@MD (L0ADD) UACC(NONE)

RDEFINE CA@MD (L0EXTEND) UACC(NONE)

RDEFINE CA@MD (L0RETAIN) UACC(NONE)

RDEFINE CA@MD (L0EXPIRE) UACC(NONE)

RDEFINE CA@MD (L0ERASE) UACC(NONE)

RDEFINE CA@MD (L0STATUS) UACC(NONE)

RDEFINE CA@MD (L0SCRATC) UACC(NONE)

RDEFINE CA@MD (L0PTRS) UACC(NONE)

RDEFINE CA@MD (L0UPDTE) UACC(NONE)

RDEFINE CA@APE (YSVCCOND) UACC(NONE) See Note 2

RDEFINE CA@APE (YSVCUNCD) UACC(NONE)

RDEFINE CA@APE (accessprofile) UACC(NONE) See Note 1

RDEFINE CA@APE (NLRES) UACC(NONE) See Note 2

RDEFINE CA@APE (NLNORES) UACC(NONE)

RDEFINE CA@APE (NSLRES) UACC(NONE) See Note 2

RDEFINE CA@APE (NSLNORES) UACC(NONE)

RDEFINE CA@APE (BLPRES) UACC(NONE)

RDEFINE CA@APE (BLPNORES) UACC(NONE)

RDEFINE CA@APE (FORRES) UACC(NONE)

RDEFINE CA@APE (FORNORES) UACC(NONE) See Note 2

RDEFINE CA@APE (EXPSEC) UACC(NONE)

RDEFINE CA@APE (BATCH) UACC(NONE)

RDEFINE CA@APE (REINIT) UACC(NONE) See Note 2

RDEFINE CA@APE (DEACT) UACC(NONE)

RDEFINE CA@APE (COPYCAT) UACC(NONE)

NOTE

• One entry for class CA@APE must be entered for each access that is defined in the TMOSECxx member of the hlq.CTAPOPTN. These security profiles are used by the online interface (TSOTIQ or the CA 1/ISPF interface) to control what level of access within CA 1 is permitted to the individual users.

• You can define user access (UACC) READ for any of the listed resources. We recommend that you define the UACC (READ) for the following common resources:

– YSVCCOND

– NLRES

– NSLRES

– FORNORES

– REINIT

• You can change the class names based on the Class Descriptor table in CAS9SAFC.

******

Basically, CA-1 needs to know who has access to READ or Update the information within CA-1.  database(TMC). That is coming from the CA@MD definition. 

PARM: 

RDEFINE CA@APE (BLPRES) UACC(NONE)

When you see the CA@APE verb, this is dealing with volume processing. The example above will make a call to RACF to if BLP is being used. In this example, access to set to NONE.

****

Use of RACF CLAUTH(USER). 

https://www.ibm.com/docs/en/zvm/7.2?topic=attributes-clauth-class-authority-attribute

1). CLAUTH has no meaning for the FILE and DIRECTRY classes.

4). A user to whom you assign the CLAUTH attribute for the USER class is authorized to define new users to RACF with the ADDUSER command, provided the user is the owner of or has JOIN authority in the new user's default group.

There is no reason for CA-1 to use this feature within RACF. Adding users within RACF should take place outside of CA-1.

Powered by Wolken Software