IMS™ subsystems and ZDT/IMS functions access control facility
ZDT/IMS allows you to control which IMS™ subsystems a user can access when using each of the functions listed in Protected ZDT/IMS Functions. These functions are protected by default when you receive ZDT/IMS.
| Function code | Description | UPDATE or READONLY |
|---|---|---|
| DBI | Initialize dialog - generates JCL for the initialize function | UPDATE |
| DDD | Delete or define dialog - generates JCL to delete or define database data sets | UPDATE |
| DIB | Initialize - initialize databases (batch) | UPDATE |
| IB | Browse - browse a database | READONLY |
| IBBO | Batch browse dialog - generate JCL for the batch browse function | READONLY |
| IBB | Batch browse - read a database in batch (batch) | READONLY |
| IE | Edit - edit a database | UPDATE |
| IEBO | Batch edit dialog - generates JCL for the batch edit function | UPDATE |
| IEB | Batch edit - edit a database in batch (batch) | UPDATE |
| IPRO | Print dialog - generates JCL for the print function | READONLY |
| IPR | Print - print data from databases (batch) | READONLY |
| IX | Extract dialog - generates JCL for the extract function | READONLY |
| IXB | Extract - extract data from databases (batch) | READONLY |
| IL | Load dialog - generates JCL for the load function | UPDATE |
| ILB | Load - load data into databases (batch) | UPDATE |
You can grant or deny some or all users access to:
- Individual IMS™ subsystems by individual functions in Protected ZDT/IMS Functions.
- Individual functions in Protected ZDT/IMS Functions. When you grant or deny users access to individual functions, they are granted or denied access to all IMS™ subsystems when using these functions.
- Individual IMS™ subsystems by the update or read-only functions.
- The update or read-only functions. When you grant or deny users access to the update or read-only functions, they are granted or denied access to all IMS™ subsystems when using the update or read-only functions.
ZDT/IMS provides security for these functions, in one of two ways, either through RACF® (or an equivalent security product) or through the HFMSECUR exit.
If Security Server RACF® or an equivalent security product is active, the System Authorization Facility (SAF) with the Z Data Tools enhanced security facility is used for access control and authorization verification. Authorization is controlled by ZDT/IMS-specific profiles in the FACILITY class. This chapter describes the ZDT/IMS-specific profiles that you must define to RACF® or your equivalent security product. It also describes how you define these profiles to RACF®. If you use another security product, consult the documentation for your product to determine how to define these profiles to your product.
If SAF with RACF® (or an equivalent security product) is not active when a Z Data Tools/IMS function is started, the function access control checks are passed to the HFMSECUR user exit instead of to SAF.
To use HFMSECUR, it must be installed in the LPA. If the HFMSECUR module is required and it cannot be found in the LPA, an error message is issued and the ZDT/IMS function will not start.
HFMSECUR is a customizable exit. It provides HFMS macros which allow you to define a table of user names or job names, Z Data Tools-protectable resources (called profiles), and access levels. For information on HFMSECUR, see "Setting up the security environment by using HFMSECUR".
- The HFMSECUR module is not used (even if present) if SAF with RACF® or an equivalent security product is active when a Z Data Tools/IMS function is started.
- ZDT/IMS functions that are not listed in Protected ZDT/IMS Functions cannot be protected by RACF® (or an equivalent security product) or by the HFMSECUR exit.
The rest of this section describes how you implement security controls in RACF® (or an equivalent security product) for the functions in Protected ZDT/IMS Functions.