You can control which users can issue
the START LLA and MODIFY LLA commands. When a user issues the START
LLA and MODIFY LLA commands, the library lookaside facility (LLA)
invokes a RACF® authorization
check. This is done for each parameter library data set that LLA needs
to access, and for each LLA-managed data set.
To do this, perform the following steps:
- If data set profiles for each LLA parameter library
data set do not currently exist, create them. These parameter library
data sets are those containing CSVLLAxx members
that specify which libraries LLA is to manage and how it is to manage
them. Make sure each LLA command user (or a group to which the user
belongs) has READ access to all parameter library data sets that you
protect.
- Create profiles in the FACILITY class to protect the LLA-managed data sets.
These data sets are the libraries that are specified in the CSVLLAxx and
LNKLSTxx members of a parameter library. For example:
RDEFINE FACILITY CSVLLA.data-set-name UACC(NONE)
where data-set-name is
the name of the LLA-managed data set.
Because of the CSVLLA
prefix used on the resource names, and because the FACILITY class
profiles can only be 39 characters long, the data-set-name portion
of this profile is limited to 32 characters. If your data set name
is longer than 32 characters, use generics so that the FACILITY class
profile stays within the 39-character limit.
Note: - You should consider creating the same FACILITY profiles as you
did data set profiles in Step 1.
- To have this protection, you must create profiles in the FACILITY
class as well as the DATASET class if you do not have access to the
data set already.
- The LLA facility first checks the user's access through the FACILITY
class profile and, unless this access is allowed, then checks for
access through a data set profile.
- Give users and groups the appropriate access authority:
PERMIT CSVLLA.data-set-name CLASS(FACILITY)
ID(userid or groupname) ACCESS(access-authority)
This
PERMIT command allows users or groups to issue LLA commands for the specified LLA-managed
library. This access authority (
access-authority)
can be one of the following:
- NONE
- Allows no access.
- UPDATE
- Allows users to work with the data sets using the LLA START and
LLA MODIFY commands.
- ALTER
- For discrete profiles, allows same access as UPDATE, plus the
ability to change the profile itself. For generic profiles, equivalent
to UPDATE.
- If you have not already done so, activate the FACILITY class:
SETROPTS CLASSACT(FACILITY)
Example:
For example, to control all LLA-managed data sets whose high-level
qualifier is CICS®, enter:
ADDSD 'CICS.*' UACC(NONE)
PERMIT 'CICS.*' ID(CICS) ACCESS(READ)
RDEFINE FACILITY CSVLLA.CICS.* UACC(NONE)
PERMIT CSVLLA.CICS.* CLASS(FACILITY) ID(CICS) ACCESS(UPDATE)
SETROPTS CLASSACT(FACILITY)
This command sequence allows CICS to
issue the LLA MODIFY command for the LLA-managed data sets whose high-level
qualifier is CICS.