OpenEdition Planning, and inOS/390 OpenEdition Programming: Assembler

OpenEdition Planning, and inOS/390 OpenEdition Programming: Assembler

Callable Services Reference. The C language support for the

pthread_security_np() function is discussedOS/390 inR2 C/C++ Run-Time

Library Reference.

Threads and

Security

 

 

 

An application that

usespthread_thesecurity_np

service

can customize the

RACF identity of a thread. Consider

a DCE application server on OS/390, w

accepts

requests

through DCE remote

procedure

calls (RPC). This server

a thread that processes the client's request. If the server customiz initiated for the client with the client's RACF identity, any resource

to MVS RACF-protected resources are made using the client's RACF

identity

authorizations.

 

 

 

 

 

 

The security administrator has the

option

of

enforcing

both

the applic

RACF identityand the RACF identity of

the

client

to be

used

in

resource

control decisions on OS/390.

 

 

 

 

 

 

The use ofpthreadthesecurity_np service is partially protected through a R FACILITY class profile BPX.SERVER.

ŸApplication servers that have UPDATE access to this profile can act surrogate of the2 Thisclientmeans. that only the client's RACF identity and

authorizations are used in resource access decisions processed by

ŸIf the application servers are permitted with READ access to the FACILITY class profile BPX.SERVER, two identities are used in local a

control decisions on OS/390:

The

RACF

identity of

the

client

 

The RACF identity of the

server

 

RACF

authorization

processing

enforces the requirementboth the MVSthat

user ID associated with the client and

the MVS user ID associate

server

are

authorized

to

the resource

being checked. This capabil

an

installation to

control:

 

 

 

– Which user IDs the server can act on behalf of

What resources the server can access when acting on behalf of clients

This additional security checking might require additional RACF administrat authorize the server to the RACF resource profiles that the server a behalf of its clients.

Single

threaded applications cannotpthreaduse securitythe _np

service to

manage

a RACF ACEE.

 

2

There is

an additional security check in which a RACF

SURROGAT class profile must authorize the server to

 

for the

client. For more informationOS/390 seeOp nEdition Planning.

 

40

OS/390

V1R2.0 Security Server (RACF) Planning: Installation

and Migration

Page 64
Image 64
IBM GC28-1920-01 OpenEdition Planning, and inOS/390 OpenEdition Programming Assembler, Library Reference, Threads and