OpenEdition Planning, and inOS/390 OpenEdition Programming: Assembler
Callable Services Reference. The C language support for the
pthread_security_np() function is discussedOS/390 inR2 C/C++
Library Reference.
Threads and | Security |
|
|
|
An application that | usespthread_thesecurity_np | service | can customize the | |
RACF identity of a thread. Consider | a DCE application server on OS/390, w | |||
accepts | requests | through DCE remote | procedure | calls (RPC). This server |
a thread that processes the client's request. If the server customiz initiated for the client with the client's RACF identity, any resource
to MVS | identity | |||||
authorizations. |
|
|
|
|
|
|
The security administrator has the | option | of | enforcing | both | the applic | |
RACF identityand the RACF identity of | the | client | to be | used | in | resource |
control decisions on OS/390. |
|
|
|
|
|
|
The use ofpthreadthesecurity_np service is partially protected through a R FACILITY class profile BPX.SERVER.
ŸApplication servers that have UPDATE access to this profile can act surrogate of the2 Thisclientmeans. that only the client's RACF identity and
authorizations are used in resource access decisions processed by
ŸIf the application servers are permitted with READ access to the FACILITY class profile BPX.SERVER, two identities are used in local a
control decisions on OS/390:
– | The | RACF | identity of | the | client |
| |
– | The RACF identity of the | server |
| ||||
RACF | authorization | processing | enforces the requirementboth the MVSthat | ||||
user ID associated with the client and | the MVS user ID associate | ||||||
server | are | authorized | to | the resource | being checked. This capabil | ||
an | installation to | control: |
|
|
| ||
– Which user IDs the server can act on behalf of
–What resources the server can access when acting on behalf of clients
This additional security checking might require additional RACF administrat authorize the server to the RACF resource profiles that the server a behalf of its clients.
Single | threaded applications cannotpthreaduse securitythe _np | service to |
manage | a RACF ACEE. |
|
2 | There is | an additional security check in which a RACF | SURROGAT class profile must authorize the server to |
| for the | client. For more informationOS/390 seeOp nEdition Planning. |
|
40 | OS/390 | V1R2.0 Security Server (RACF) Planning: Installation | and Migration |
