Step 5. Select RACF-Specific Characteristics
If your system specifically has RACF® installed as the ESM, the following entries set defaults for the DirMaint RACF connector function. The RACF connector function issues RACF commands in order to communicate RACF updates associated with certain DIRM commands. This includes user creation and deletion, password management, POSIX segment management, ACI group management, permission requirements for facilities that require additional coordinated CP and RACF privileges, and discrete resource profile creation and deletion.
In order for the DIRMAINT service machine to be able to issue RACF commands and control RACF functions, the DIRMAINT service machine must be given the group-SPECIAL or SPECIAL attribute as shown below.
Note that if RACF administration is decentralized, then DirMaint should have the group-SPECIAL attribute. This attribute makes DirMaint an administrator at a group level, thereby enabling it to control access to its group and to issue RACF commands.
Verifying that RACF Administration is Decentralized
RAC LU DIRMAINT
CONNECT ATTRIBUTES=SPECIAL
RAC CONNECT DIRMAINT GROUP(grpname) SPECIAL
If RACF administration is centralized, then DirMaint should have the SPECIAL attribute, which makes it an administrator and enables it to issue RACF commands and to control access to all users.
A sample file, CONFIGRC SAMPDVH, is supplied with the product code on the 6VMDIR40 2C2 disk. If no RACF communication is desired, no action is required. If RACF communication is desired, this file should be copied to the DIRMAINT 11F disk and renamed to CONFIGRC DATADVH, to be used as an override file for RACF-specific configuration entries. The sample override file contains a USE_RACF= YES ALL configuration statement to configure the DirMaint server to use all default IBM®-supplied RACF connector support. The sample file should be reviewed and changed to meet the needs of the installation, if required.
- 1
- The USE_RACF= entry enables (by specifying YES) or disables (by specifying NO) all or certain
functions in the DirMaint
RACF connector support. Multiple USE_RACF= statements may be used to enable/disable multiple RACF connector functions.USE_RACF= YES ALL enables all DirMaint RACF connector support (except for the support within any RACF connector EXEC specified in a USE_RACF= NO statement). For example, the combination of the following two USE_RACF= statements enables all RACF connector support except for the support included within the DVHRUN EXEC:
USE_RACF= YES ALL USE_RACF= NO DVHRUN EXEC
USE_RACF= NO ALL indicates that all DirMaint RACF connector support is disabled (except for the support within any RACF connector EXEC specified on a USE_RACF= YES statement). USE_RACF= NO ALL is the default if no USE_RACF= YES ALL statement is configured. When USE_RACF= NO ALL is used, all USE_RACF= YES ALL statements will be ignored. For example, by specifying the following two statements, all RACF connector function is disabled except that which is included within the DVHRPN EXEC:USE_RACF= NO ALL USE_RACF= YES DVHRPN EXEC
The following table shows the RAC commands issued by each DirMaint RACF connector EXEC during the processing of specific DIRM commands. You can enable/disable the RACF connector support provided by a specific EXEC by specifying the associated EXEC's file name and file type (EXEC) on the USE_RACF= statement.
Table 1. RAC Commands Issued by DirMaint RACF Connector EXECs File Name Type of Change DIRM Command RAC Commands Issued (in order of execution) DVHRDN DASD ADD, AMDISK, CLONEDISK RDEFINE VMMDISK resource_name OWNER(target_id) racf_rdefine_vmmdisk_defaults
PERMIT resource_name CLASS(VMMDISK) ID(DIRMAINT) DELETE
PERMIT resource_name CLASS(VMMDISK) ID(target_id) racf_disk_owner_accessCHNGID, CHVADDR, TMDISK If MOVELINKS:
Save link authorizations for old disk using:
RLIST VMMDISK old_resource AUTH
RDELETE VMMDISK old_resource
RDEFINE VMMDISK new_resource OWNER(target_id) racf_rdefine_vmmdisk_defaults
PERMIT new_resource CLASS(VMMDISK) ID(DIRMAINT) DELETE
For each saved link authorization for MOVELINKS:
PERMIT new_resource CLASS(VMMDISK) ID(id) ACC(access)CMDISK Save universal access mode, owner ID, audit information, and link
authorizations using:
RLIST VMMDISK resource_name AUTH
RALTER VMMDISK resource_name UACC(saved_uacc)
OWNER(saved_owner) AUDIT(saved_audit)
For each saved link authorization:
PERMIT resource_name CLASS(VMMDISK) ID(id) ACC(access)DMDISK, PURGE RDELETE VMMDISK resource_nameDVHRLB LOGONBY LOGONBY If not already there:
RDEFINE SURROGAT LOGONBY.target_id racf_rdefine_surrogat_defaults
PERMIT LOGONBY.target_id CLASS(SURROGAT) ID(DIRMAINT) DELETE
If operand is ADD:
PERMIT LOGONBY.target_id CLASS(SURROGAT) ID(logonby_id) ACC(READ)
If operand is DELETE:
PERMIT LOGONBY.target_id CLASS(SURROGAT) ID(logonby_id) DELETE
If this leaves no more permitted IDs:
RDELETE SURROGAT LOGONBY.target_idDVHRLN LINK CHNGID Save link authorizations for old link using:
RLIST VMMDISK resource_name AUTH
PERMIT resource_name CLASS(VMMDISK) ID(target_id) DELETE
For each saved link authorization:
PERMIT resource_name CLASS(VMMDISK) ID(target_id)
ACCESS(saved_access)DLINK, PURGE PERMIT resource_name CLASS(VMMDISK) ID(target_id) DELETELINK, ADD (ADD generates LINK commands) PERMIT resource_name CLASS(VMMDISK) ID(target_id)
ACCESS(highest_auth)REPLACE PERMIT old_resource CLASS(VMMDISK) ID(target_id) DELETE
PERMIT new_resource CLASS(VMMDISK) ID(target_id)
ACCESS(highest_auth)DVHRPESM POSIX POSIXFSROOT If specified root is not DELETE:
ALTUSER target_id OVM(FSROOT(root))
If specified root is DELETE:
ALTUSER target_id OVM(NOFSROOT)POSIXGLIST If operands are ADD GNAME:
For each specified gname:
CONNECT target_id GROUP(gname)
If operands are ADD GID:
For each specified g_id:
gid = 'G'g_id
Retrieve associated gname using:
RLIST VMPOSIX gid ALL
CONNECT target_id GROUP(gname)
If operands are DELETE GNAME:
For each specified gname:
REMOVE target_id GROUP(gname)
If operands are DELETE GID:
For each specified g_id:
gid = 'G'g_id
Retrieve associated gname using:
RLIST VMPOSIX gid ALL
REMOVE target_id GROUP(gname)
If operands are DELETE *:
For each gname on user's POSIXGLIST statement:
REMOVE target_id GROUP(gname)
For each g_id on user's POSIXGLIST statement:
gid = 'G'g_id
Retrieve associated gname using:
RLIST VMPOSIX gid ALL
REMOVE target_id GROUP(gname)POSIXGROUP If gid is not DELETE:
If necessary:
ADDGROUP gname
For specified gid:
ALTGROUP gname OVM(GID(gid))
If gid is DELETE:
If necessary:
DELGROUP gnameDVHRPESM (cont.) POSIX (cont.) POSIXINFO If operands are FSROOT root:
ALTUSER target_id OVM(FSROOT(root))
If operands are FSROOT DELETE or DELETE:
ALTUSER target_id OVM(NOFSROOT)
If operands are GID g_id:
gid = 'G'g_id
Retrieve associated gname using:
RLIST VMPOSIX gid ALL
CONNECT target_id GROUP(gname)
If operands are GID DELETE or DELETE:
Retrieve associated g_id from user's POSIXINFO statement.
gid = 'G'g_id
Retrieve associated gname using:
RLIST VMPOSIX gid ALL
REMOVE target_id GROUP(gname)
If operands are GNAME gname:
If necessary:
ADDGROUP gname
CONNECT target_id GROUP(gname)
If operands are GNAME DELETE or DELETE:
Retrieve associated gname from user's POSIXINFO statement
REMOVE target_id GROUP(gname)
If operands are IUPGM iupgm:
ALTUSER target_id OVM(PROGRAM(iupgm))
If operands are IUPGM DELETE or DELETE:
ALTUSER target_id OVM(NOPROGRAM)
If operands are IWDIR iwdir:
ALTUSER target_id OVM(HOME(iwdir))
If operands are IWDIR DELETE or DELETE:
ALTUSER target_id OVM(NOHOME)
If operands are UID uid:
ALTUSER target_id OVM(UID(uid))
If operands are UID NEXT:
ALTUSER target_id OVM(UID(next_uid))
If operands are UID DELETE or DELETE:
ALTUSER target_id OVM(NOUID)DVHRPESM (cont.) POSIX (cont.) POSIXIUPGM If specified iupgm is not DELETE:
ALTUSER target_id OVM(PROGRAM(iupgm))
If specified iupgm is DELETE:
ALTUSER target_id OVM(NOPROGRAM)POSIXIWDIR If specified iwdir is not DELETE:
ALTUSER target_id OVM(HOME(iwdir))
If specified iwdir is DELETE:
ALTUSER target_id OVM(NOHOME)POSIXOPT If operands are QUERYDB ALLOW or QUERYDB SYSDEFAULT:
If necessary:
RDEFINE VMPOSIX POSIXOPT.QUERYDB racf_rdefine_vmposix.querydb
PERMIT POSIXOPT.QUERYDB CLASS(VMPOSIX) ID(DIRMAINT) DELETE
PERMIT POSIXOPT.QUERYDB CLASS(VMPOSIX) ID(target_id) ACC(READ)
If operands are QUERYDB DELETE or QUERYDB DISALLOW:
PERMIT POSIXOPT.QUERYDB CLASS(VMPOSIX) ID(target_id) ACC(NONE)
If operands are SETIDS ALLOW:
If necessary:
RDEFINE VMPOSIX POSIXOPT.SETIDS racf_rdefine_vmposix.setids
PERMIT POSIXOPT.SETIDS CLASS(VMPOSIX) ID(DIRMAINT) DELETE
PERMIT POSIXOPT.SETIDS CLASS(VMPOSIX) ID(target_id) ACC(READ)
If operands are SETIDS DELETE or SETIDS DISALLOW:
PERMIT POSIXOPT.SETIDS CLASS(VMPOSIX) ID(target_id) ACC(NONE)
If operand is DELETE:
If SETIDS on user's POSIXOPT statement:
PERMIT POSIXOPT.SETIDS CLASS(VMPOSIX) ID(target_id) ACC(NONE)
If QUERYDB on user's POSIXOPT statement:
PERMIT POSIXOPT.QUERYDB CLASS(VMPOSIX) ID(target_id) ACC(NONE)DVHRPN PASSWORD PW For passphrase:
ALTUSER target_id PHRASE(passphrase) NOEXPIRED
For password:
ALTUSER target_id PASSWORD(password) NOEXPIRED
For AUTOONLY, LBYONLY, NOPASS:
ALTUSER target_id NOPASSWORD NOPHRASE
For NOLOG:
ALTUSER target_id REVOKE
SETPW For passphrase:
ALTUSER target_id PHRASE(passphrase)
For password:
ALTUSER target_id PASSWORD(password)
For AUTOONLY, LBYONLY, NOPASS:
ALTUSER target_id NOPASSWORD NOPHRASE
For NOLOG:
ALTUSER target_id REVOKEDVHRUN USER ADD If ACIGROUP statement exists:
If necessary:
ADDGROUP aci_group
DFLTGRP in racf_adduser_defaults is changed to aci_group
ADDUSER target_id OWNER(DIRMAINT) PASSWORD(password)
racf_adduser_defaults
If password is AUTOONLY, LBYONLY or NOPASS:
ALTUSER target_id NOPASSWORD NOPHRASE
If password is NOLOG:
ALTUSER target_id REVOKE
If POSIXOPT QUERYDB ALLOW or POSIXOPT QUERYDB SYSDEFAULT:
If necessary:
RDEFINE VMPOSIX POSIXOPT.QUERYDB racf_rdefine_vmposix.querydb
PERMIT POSIXOPT.QUERYDB CLASS(VMPOSIX) ID(DIRMAINT) DELETE
PERMIT POSIXOPT.QUERYDB CLASS(VMPOSIX) ID(target_id) ACC(READ)
If POSIXOPT QUERYDB DISALLOW:
If necessary:
RDEFINE VMPOSIX POSIXOPT.QUERYDB racf_rdefine_vmposix.querydb
PERMIT POSIXOPT.QUERYDB CLASS(VMPOSIX) ID(DIRMAINT) DELETE
PERMIT POSIXOPT.QUERYDB CLASS(VMPOSIX) ID(target_id) ACC(NONE)
If POSIXOPT SETIDS ALLOW:
If necessary:
RDEFINE VMPOSIX POSIXOPT.SETIDS racf_rdefine_vmposix.setids
PERMIT POSIXOPT.SETIDS CLASS(VMPOSIX) ID(DIRMAINT) DELETE
PERMIT POSIXOPT.SETIDS CLASS(VMPOSIX) ID(target_id) ACC(READ)
If POSIXOPT SETIDS DISALLOW:
If necessary:
RDEFINE VMPOSIX POSIXOPT.SETIDS racf_rdefine_vmposix.setids
PERMIT POSIXOPT.SETIDS CLASS(VMPOSIX) ID(DIRMAINT) DELETE
PERMIT POSIXOPT.SETIDS CLASS(VMPOSIX) ID(target_id) ACC(NONE)
If POSXINFO UID uid:
ALTUSER target_id OVM(UID(uid))
If POSIXINFO GID g_id:
gid = 'G'g_id
Retrieve associated gname using RLIST VMPOSIX gid ALL
CONNECT target_id GROUP(gname)DVHRUN (cont.) USER (cont.) ADD (cont.) If POSIXINFO GNAME gname:
If necessary:
ADDGROUP gname
CONNECT target_id GROUP(gname)
If POSIXINFO IWDIR iwdir:
ALTUSER target_id OVM(HOME(iwdir))
If POSIXINFO IUPGM iupgm:
ALTUSER target_id OVM(PROGRAM(iupgm))
If POSIXINFO FSROOT root:
ALTUSER target_id OVM(FSROOT(root))
If POSIXGLIST GNAMES:
For each specified gname:
CONNECT target_id GROUP(gname)
If POSIXGLIST GIDS:
For each specified g_id:
gid = 'G'g_id
Retrieve associated gname using RLIST VMPOSIX gid ALL
CONNECT target_id GROUP(gname)
For each *RACF= rac_command:
rac_command
If LOGONBY log_users:
RDEFINE SURROGAT LOGONBY.target_id racf_rdefine_surrogat_defaults
PERMIT LOGONBY.target_id CLASS(SURROGAT) ID(DIRMAINT) DELETE
If password is LBYONLY:
PERMIT LOGONBY.target_id CLASS(SURROGAT) ID(target_id) DELETE
If password is not LBYONLY:
PERMIT LOGONBY.target_id CLASS(SURROGAT) ID(target_id) ACC(READ)
For each user_id on LOGONBY:
PERMIT LOGONBY.target_id CLASS(SURROGAT) ID(user_id) ACC(READ)
If there are RACF_RDEFINE_VMBATCH_DEFAULTS:
RDEFINE VMBATCH target_id
racf_rdefine_vmbatch_defaults
RAC PERMIT target_id CLASS(VMBATCH) ID(DIRMAINT) DELETE
If there are RACF_VMBATCH_DEFAULT_MACHINES:
For each default_machine:
RAC PERMIT target_id CLASS(VMBATCH) ID(default_machine) ACC(CONTROL)
If there are RACF_RDEFINE_VMRDR_DEFAULTS:
If ACIGROUP exists:
RDEFINE VMRDR acigroup.target_id racf_rdefine_vmrdr_defaults
PERMIT acigroup.target_id CLASS(VMRDR) ID(DIRMAINT) DELETE
If ACIGROUP does not exist:
RDEFINE VMRDR target_id racf_rdefine_vmrdr_defaults
PERMIT target_id CLASS(VMRDR) ID(DIRMAINT) DELETEDVHRUN (cont.) USER (cont.) CHNGID For Old ID:
Save groups from LU old_id
Save OVM settings from LU old_id OVM NORACF
Save QUERYDB settings from
RLIST VMPOSIX.QUERYDB AUTH
Save SETIDS settings from
RLIST VMPOSIX.SETIDS AUTH
Save LOGONBY authorizations from
RLIST SURROGAT LOGONBY.old_id AUTH
Save VMBATCH authorizations from
RLIST VMBATCH old_id AUTH
Save VMRDR authorizations from
RLIST VMRDR old_id AUTH
For New ID:
ADDUSER new_id OWNER(DIRMAINT)
PASSWORD(old_password) racf_adduser_defaults
If old_password is AUTOONLY, LBYONLY or NOPASS:
ALTUSER new_id NOPASSWORD NOPHRASE
If old_password is NOLOG:
ALTUSER new_id REVOKE
For each saved group:
CONNECT new_id GROUP(group)
If QUERYDB access saved:
PERMIT POSIXOPT.QUERYDB CLASS(VMPOSIX) ID(new_id) ACC(saved_acc)
If SETIDS access saved:
PERMIT POSIXOPT.SETIDS CLASS(VMPOSIX) ID(new_id) ACC(saved_acc)
For each ovm_kw and ovm_value saved:
ALTUSER new_id OVM(ovm_kw(ovm_value))
If there are RACF surrogate defaults configured:
RDEFINE SURROGAT LOGONBY.new_id racf_rdefine_surrogat_defaults
PERMIT LOGONBY.new_id CLASS(SURROGAT) ID(DIRMAINT) DELETE
If old_password is LBYONLY:
PERMIT LOGONBY.new_id CLASS(SURROGAT) ID(new_id) DELETE
If old_password is not LBYONLY:
PERMIT LOGONBY.new_id CLASS(SURROGAT) ID(new_id) ACC(READ)
For each saved surrogate authorization:
PERMIT LOGONBY.new_id CLASS(SURROGAT) ID(saved_userid)
ACC(saved_access)
DVHRUN (cont.) USER (cont.) CHNGID (cont.) If there are VMRDR defaults configured:
If ACIGROUP exists:
RDEFINE VMRDR acigroup.new_id racf_rdefine_vmrdr_defaults
PERMIT acigroup.new_id CLASS(VMRDR) ID(DIRMAINT) DELETE
If ACIGROUP does not exist:
RDEFINE VMRDR new_id racf_rdefine_vmrdr_defaults
PERMIT new_id CLASS(VMRDR) ID(DIRMAINT) DELETE
For each saved VMRDR authorization:
PERMIT new_id CLASS(VMRDR) ID(saved_userid) ACC(saved_access)
If there are VMBATCH defaults configured:
RDEFINE VMBATCH new_id racf_rdefine_vmbatch_defaults
RAC PERMIT new_id CLASS(VMBATCH) ID(DIRMAINT) DELETE
For each saved VMBATCH authorization:
PERMIT new_id CLASS(VMBATCH) ID(saved_userid) ACC(saved_access)DVHRUN (cont.) USER (cont.) PURGE Retrieve surrogate authorizations for target_id using:
RLIST SURROGAT LOGONBY.target_id AUTH
For each surrogate user:
PERMIT LOGONBY.target_id CLASS(SURROGAT) ID(userid) DELETE
RDELETE SURROGAT LOGONBY.target_id
If target_id has access to VMPOSIX POSIXOPT.QUERYDB:
PERMIT POSIXOPT.QUERYDB CLASS(VMPOSIX) ID(target_id) DELETE
If target_id has access to VMPOSIX POSIXOPT.SETIDS:
PERMIT POSIXOPT.SETIDS CLASS(VMPOSIX) ID(target_id) DELETE
Retrieve groups to which target_id has access using:
LU target_id
For each group to which target_id has access:
REMOVE target_id GROUP(group)
RDELETE VMBATCH target_id
If ACIGROUP exists:
RDELETE VMRDR acigroup.target_id
If ACIGROUP does not exist:
RDELETE VMRDR target_id
DELUSER target_idDVHRVN NICDEF ADD, NICDEF RLIST VMLAN resource_name
If the resource name is not in the list:
RDEFINE VMLAN resource_name UACC(NONE)
PERMIT resource_name CLASS(VMLAN) ID(target_id)
ACCESS(prom_info)
If NICDEF PROMISCUOUS then prom_info is CONTROL, otherwise prom_info
is UPDATE.
CHNGID Save NICDEF authorizations using:
RLIST VMLAN resource_name
PERMIT resource_name CLASS(VMLAN) ID(target_id) DELETE
For each saved NICDEF authorization:
PERMIT resource_name CLASS(VMLAN) ID(target_id) ACCESS(prom_info)
If NICDEF PROMISCUOUS then prom_info is CONTROL, otherwise prom_info
is UPDATE.
PURGE
PERMIT resource_name CLASS(VMLAN) ID(target_id) DELETE
If the resource owner is DIRMAINT then issue:
RAC RDELETE VMLAN resource
REPLACE PERMIT old_resource_name CLASS(VMLAN) ID(target_id) DELETE
PERMIT new_resource_name CLASS(VMLAN) ID(target_id)
ACCESS(prom_info)
If NICDEF PROMISCUOUS then prom_info is CONTROL, otherwise prom_info
is UPDATE.
Note:- DASD resource names are in acigroup.target_id.disk_addr format if an ACIGROUP statement exists in the user's directory entry. Otherwise, DASD resource names are in target_id.disk_addr format.
- During CMDISK processing, the old disk authorizations are deleted and re-permitted due to the transfer of the disk to and from a DATAMOVE machine for the associated DASD management processing.
The USE_RACF= statement also controls the use of the DoRacf global variable within the DIRMAINT service machine. The DoRacf global variable can be used by your exits in order to determine if additional (user-supplied) RACF function should be executed. Whenever a configured exit is called by DIRMAINT, the DoRacf global variable is set based on all configured USE_RACF statements. DoRacf is set to true when the exit is configured to be enabled for additional RACF communication. Otherwise, DoRacf is set to false.
USE_RACF= YES ALL indicates that all DirMaint user exits will be called with a DoRacf value of true (except for those configured on a USE_RACF= NO statement, which will be called with a DoRacf value of false).
USE_RACF= NO ALL indicates that all DirMaint user exits will be called with a DoRacf value of false (except for exits overridden using USE_RACF= YES statements, which will be called with a DoRacf value of true). This is the default if no USE_RACF= YES ALL statement is configured.
USE_RACF= YES exit_name indicates that the specified exit will be called with DoRACF set to true.
USE_RACF= NO exit_name indicates that the specified exit will be called with DoRACF set to false.
Note: When specifying the file name of a user exit, the user exit must still be defined using the exit's definition statement. - 2
- The RACF_ADDUSER_DEFAULTS= entry specifies the defaults that will be used by DVHRUN when it issues a RACF ADDUSER command. (See the z/VM: RACF Security Server Command Language Reference for valid options.) The IBM-supplied default is UACC(NONE).
- 3
- The RACF_RDEFINE_VMMDISK_DEFAULTS= entry specifies the defaults that will be used by DVHRDN when it issues a RACF RDEFINE VMMDISK command. (See the z/VM: RACF Security Server Command Language Reference for valid options.) The IBM-supplied defaults are UACC(NONE) AUDIT(FAILURES(READ)).
- 4
- The RACF_DISK_OWNER_ACCESS= entry specifies the access authority that will be used by DVHRDN when it issues a RACF PERMIT command for the owner of the disk. (See the z/VM: RACF Security Server Command Language Reference for valid options.) The IBM-supplied default is ACC(ALTER). To use the default access configured in RACF, use a RACF_DISK_OWNER_ACCESS= statement without an access authority specified (i.e, a blank RACF_DISK_OWNER_ACCESS= statement).
- 5
- The RACF_RDEFINE_VMPOSIX_POSIXOPT.QUERYDB= entry specifies the defaults that will be used by DVHRUN or DVHRPESM when it issues a RACF RDEFINE VMPOSIX POSIXOPT.QUERYDB command. (See the z/VM: RACF Security Server Command Language Reference for valid options.) The IBM-supplied default is UACC(READ).
- 6
- The RACF_RDEFINE_VMPOSIX_POSIXOPT.SETIDS= entry specifies the defaults that will be used by DVHRUN or DVHRPESM when it issues a RACF RDEFINE VMPOSIX POSIXOPT.SETIDS command. (See the z/VM: RACF Security Server Command Language Reference for valid options.) The IBM-supplied default is UACC(NONE).
- 7
- The RACF_RDEFINE_SURROGAT_DEFAULTS= entry specifies the defaults that will be used by DVHRUN or DVHRLB when it issues a RACF RDEFINE SURROGAT command. (See the z/VM: RACF Security Server Command Language Reference for valid options.) The IBM-supplied default is UACC(NONE) AUDIT(FAILURES(READ)).
- 8
- The RACF_RDEFINE_VMBATCH_DEFAULTS= entry specifies the defaults that will be used by DVHRUN when it issues a RACF RDEFINE VMBATCH command. (See the z/VM: RACF Security Server Command Language Reference for valid options.) The IBM-supplied default is UACC(NONE) AUDIT(FAILURES(READ)).
- 9
- The RACF_RDEFINE_VMRDR_DEFAULTS= entry specifies the defaults that will be used by DVHRUN when it issues a RACF RDEFINE VMRDR command. (See the z/VM: RACF Security Server Command Language Reference for valid options.) The IBM-supplied default is UACC(NONE) AUDIT(FAILURES(READ)).
- 10
- The RACF_VMBATCH_DEFAULT_MACHINES= entry identifies the batch machines available on the system.
- 11
- The TREAT_RAC_RC.4= entry identifies how DVHRUN, DVHRDN, DVHRPESM, and DVHRLB will interpret the RACF return code 4 (authorization decision deferred by RACF to z/VM®) from the RACF commands – as if the return code was 0 (successful) or 4 (unsuccessful). The default, if not configured, is 4. The value in the CONFIGRC SAMPDVH file is 0.
- 12
- The ESM_PASSWORD_AUTHENTICATION_EXIT= entry identifies the exit to be called to issue the necessary commands to authenticate a user using a CP logon password or External Security Manager password phrase.
- 13
- The RACF_RDEFINE_VSWITCH_LAN= entry specifies whether or not a RACF profile (using RDEFINE) is added for a z/VM Virtual Switch or guest LAN in DVHRVN processing during an 'add' operation if a profile does not currently exist. The IBM-supplied default is YES.