z/OS MVS Programming: Resource Recovery
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Setting up access authorization

z/OS MVS Programming: Resource Recovery
SA23-1395-00

If your installation uses the RACF component of SecureWay for z/OS, you can control access to the information and actions the panels provide. In a Parallel Sysplex®, you can configure RRS to allow a user to manage all the RRS images in the sysplex from a single image. Access to RRS system management functions is controlled by two RACF® resources.

To control RRS access across a sysplex, RRS uses the MVSADMIN.RRS.COMMANDS.gname.sysname resource in the FACILITY class, where gname is the logging group name, and sysname is the system name. You may create a RACF profile to permit access to multiple logging groups and systems by including RACF valid generic characters (**, *, and %) in gname and sysname. See the z/OS Security Server RACF Security Administrator's Guide and z/OS Security Server RACF Command Language Reference for more information about using these RACF generic characters and defining RACF profiles. By permitting appropriate access, you can allow users to view or alter RRS information on any number of systems in the sysplex.

If you are running RRS on a single system, RRS can use either the MVSADMIN.RRS.COMMANDS.gname.sysname resource or the MVSADMIN.RRS.COMMANDS resource in the FACILITY class to control access to RRS system management functions. The MVSADMIN.RRS.COMMANDS resource only allows access to RRS system management functions on the current system. You cannot use MVSADMIN.RRS.COMMANDS to allow or disallow use of RRS on another system.
Note: This restriction does not apply to shared restart or RRS log stream data being used by the local system. Access to the log stream datasets requires the appropriate authorization for the system logger address space to the hlq.data_set_name resource in the DATASET class for each DASD log stream and staging data set. Use the MVSADMIN.RRS.COMMANDS.gname.sysname resource to control access to use RRS services to view or modify information in the logs, including the restart log, of logging groups that are not being used by the local system.
For example:
  • To allow a user to view RRS information only on the current system, you could provide READ access to the MVSADMIN.RRS.COMMANDS resource in the FACILITY class.
  • Provide ALTER access to the MVSADMIN.RRS.COMMANDS.gname.sysname resource in the FACILITY class for a particular system in the sysplex, to allow a user to:
    • Resolve an in-doubt UR
    • Remove a resource manager's interest in a UR
    • Delete a resource manager from RRS
    • Unregister a resource manager to clean up the resource manager's involvement with RRS.
Parent topic: Using RRS panels

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014