resources. Profiles must reside in storage before RACROUTE | |||
REQUEST=FASTAUTH can | be used to verify a user's | access to | a resourc |
Ÿ The client/server | relationship is not propagated | from the | application |
If | the security | administrator | implements access | control bothto | resources th |
the | server's RACF | identity and | the client's RACF | identity in | an access |
decision, application servers that the security administrator does not treated endas pointson OS/390. These servers notshouldbe allowed to submit batch jobs or use the services of other servers that run exclusively identity of the client. This is because the relationship of the clien identity pair is not propagated to other applications or servers. The administrator must enforce this through administrative procedures by ens applications servers that do not meet notthisauthorizedcriteria areto the profile BPX.SERVER in the RACF FACILITY class. By denying the untrusted servers
authorization to BPX.SERVER, the | security administrator | ensures | that | all |
done by the server, including | job submission and the | use of | other | se |
using the server's identity. |
|
|
|
|
Controlling | the | R_dceruid Callable Service |
|
|
The security | administrator must define the IRR.RDCERUID | profile in th | ||
class to control the use of the SAF | R_dceruid callable | service. This | ||
service | maps | the DCE UUID to the | RACF user ID. |
|
Check your installation for programs that use:
Ÿthe SAF R_dceruid callable service
or services that call it, such as:
Ÿ the OS/390 OpenEditionconvert_id_np | callable service |
Ÿthe C library functionconvert_id_np() function call
Users or | servers | using programs | that use these services must | have REA |
or higher | to the | profile that | protects IRR.RDCERUID in the | FACILITY |
Enhancements to the | Remove | ID | Utility |
|
|
|
|
|
|
|
|
The RACF remove ID utility, IRRRID00, has been | enhanced to search | pr | |||||||||
defined to the DCEUUIDS class | when removing a user ID. The utility g | ||||||||||
output consisting of commands that remove | DCEUUIDS | class profiles | in | whic | |||||||
APPLDATA field | contains | the | user | ID being | removed. |
|
| ||||
The | RACF | security administrator | should contact | the | DCE administrator | when | |||||
removing a user ID | which | has | been | ||||||||
if | the | DCE | principal | should be | deleted | from | the | cell. |
|
| |
SOMobjects for MVS
The | security administrator must permit the users who | are allowed to | us |
SOM | servers and are allowed to use specific methods | within classes | to |
within the new RACF CBIND and SOMDOBJS classes. In addition, the securit administrator must define which servers are known to the SOM daemon, by defining profiles within the new RACF SERVER class.
42 OS/390 V1R2.0 Security Server (RACF) Planning: Installation and Migration
