SDT server authorization security check
When a region attempts to be an SDT server, it calls RACF to check whether its user ID has the required access authority to its APPLID.
If the call fails, the region cannot initialize the required SDT support to be a server. This minimizes the risk that an AOR might accept counterfeit data records from an FOR that is not properly authorized to act as an SDT server. This check is never bypassed, even when SEC=NO is specified at system initialization.
To act as a server for a protected APPLID, an SDT FOR's userid
must have UPDATE (or higher) access to its DFHAPPL.applid profile
in the FACILITY class. In the following example definitions, the APPLID
of the FOR is CICSHF01, and its user ID is CICSSDT1:
RDEFINE FACILITY (DFHAPPL.CICSHF01) UACC(NONE)
PERMIT DFHAPPL.CICSHF01 CLASS(FACILITY) ID(CICSSDT1) ACCESS(UPDATE)
The first example authorizes one FOR to act as a server with APPLID
CICSHF01, running under user ID CICSSDT1. The following example shows
how to authorize a group of FORs, with user IDs defined as members
of group SDTGRP1, to act as SDT servers using a generic profile in
the FACILITY class:
RDEFINE FACILITY (DFHAPPL.CICSTST*) UACC(READ)
PERMIT DFHAPPL.CICSTST* CLASS(FACILITY) ID(SDTGRP1) ACCESS(UPDATE)