Step 2. RACF Security Definition Samples

Step 2.1 Control-O Security Definitions

Step 2.2 Function Security Definitions

Step 2.3 Control Program Access to Datasets

Select these steps to edit members CTOSRAC2, CTOSRAC3, and CTOSRAC4.

Perform the following steps to define the required permissions.

1. Associate Users with Extended Definition Mode
   1. To define the entity $$CTOEDM.qname, use the following command:

      RDEFINE FACILITY $$CTOEDM.qname UACC(NONE)

   2. To authorize USERA to Extended Definition mode, use the following command:

      PERMIT $$CTOEDM.qname ID(USERA) CLASS(FACILITY) ACCESS(READ)

   3. Submit the CTOSRAC2 job.

      This job must be run under the user ID of an administrator who has authorization to enter these commands.

   4. Scan the output of the job for information and error messages. All job steps must end with a condition code of 0.
2. Define entities and user authorizations.

   For more information about entities and user authorizations, see Control-O Basic Definition Security Calls, and Control-O Extended Definition Security Calls.

To define and authorize the entity in Extended Definition mode to protect ordering of Control‑O rules beginning with SYS, specify the following command:

RDEFINE FACILITY $$CTOORD.qname.SYS* UACC(NONE)
PERMIT $$CTOORD.qnam.SYS* CLASS(FACILITY) ID(USERA) ACCESS(READ)

where qname is the name used to assign different authorizations to different Control‑O environments (for example, Test and Production). This parameter is specified during IOA installation.

To authorize USERA access to a given Control‑O entity, use the following command:

PERMIT $$CTOnnn.qname CLASS(FACILITY) ID(USERA) ACCESS(READ)

where CTOnnn is the name of the Control‑O entity to be accessed.

All entity names for each Control‑O protected element appear in Basic Definition Mode and Extended Definition Mode.

For samples of user authorizations, review member CTOSRAC3 in the IOA INSTWORK library.