AUTH Command: Identifying authorized users
There are two methods used to authorize user commands. DFSMShsm allows an installation to control the authorization of its commands through the use of either RACF® FACILITY class profiles or the AUTH command.
- DFSMShsm uses RACF FACILITY class checking for all authorized and user commands
- DFSMShsm honors profiles in the FACILITY class that are added or modified
If the RACF FACILITY class is not active when DFSMShsm starts, DFSMShsm uses the AUTH command to determine authorized DFSMShsm users and commands.
The AUTH command identifies both the authorized user who can only issue authorized DFSMShsm commands and the authorized user who cannot only issue authorized DFSMShsm commands but can also add, delete, and change the authority of other DFSMShsm users. When DFSMShsm is installed, the storage administrator with responsibility for DFSMShsm should be identified as the authorized user who can affect the authority of other DFSMShsm users.
The AUTH command can be submitted only by users who are already authorized users having the database authority control attribute, or the command must be part of the PARMLIB member being processed during DFSMShsm startup.
- Use the AUTH command carefully because anyone who is an authorized user can issue DFSMShsm user commands without having RACF check the security of the command issuer.
- The AUTH command cannot be issued from the system console.
- If you issue the AUTH command when the RACF FACILITY class is active, it completes with a return code of four. The authorized user record (MCU) is still created or updated, but access to the DFSMShsm storage administrator commands is still controlled by the RACF FACILITY class. Maintaining accurate MCU records is helpful when the RACF FACILITY class is not active or when using StorWatch DFSMShsm Monitor.