Enable RACF security for Application Restart Control

Version 1
    Share This:

    This document contains official content from the BMC Software Knowledge Base. It is automatically updated when the knowledge article is modified.




    All versions of Application Restart Control for DB2, IMS, and VSAM


    How do I use RACF to control access to Application Restart Components?


    The best source of this data is the ARC manual.

    The current manual states on pages 88-89, under the heading Security Products:
    If you have the IBM RACF product or the CA Technologies CA-ACF2 or CA-Top Secret product, or if you are using the RACF
    Program Access to Data Sets (PADS) facility, consider the requirements described in this section:

    Authorize BMCP and BMCBCSS as started tasks in the started task names table.
    If you want to use RACF to secure access for your DB2 environment, you should use the following syntax to define your Access Profile:
    PERMIT subsys.MASS CLASS(DSNR)... (for DSN attach type)
    PERMIT subsys.BATCH CLASS(DSNR)... (for CAF attach type)

    This is an excerpt from pages 442-448, under the heading Using AR/CTL external security:

    If you set up AR/CTL external security, AR/CTL products permit only authorized users to access AR/CTL product components and functions.

    When a user tries to access an AR/CTL product component or function, AR/CTL external security issues a RACROUTE call to determine the access authority of the user ID associated with the ISPF session or application program. AR/CTL external security retains the results of the RACROUTE calls for use as long as the current AR/CTL ISPF interface session is active or he application is executing.

    AR/CTL RACROUTE requests specify a default resource class name of AES0. For easy maintenance, AR/CTL products use only one resource class name. AR/CTL RACROUTE requests also specify an entity name associated with a specific function of an AR/CTL product. The RACROUTE entity names are associated with specific access levels, and they limit access to specific records of the REGISET,
    specific functions of the AR/CTL ISPF interface, or participation of AR/CTL products in the application execution. The permitted access levels are read and update, depending on the type of operation being performed. AR/CTL RACROUTE entity names and descriptions defined within AR/CTL products are shown in the table AR/CTL individual security entities (see page 446).

    If the return code from the RACROUTE call indicates that the user is not authorized for the function, AR/CTL products perform no additional security processing and deny the request for access.

    • Setting up AR/CTL external security (see page 443)
    • Using extended security entity definitions (see page 445)
    • Individual security entities (see page 446)
    • Modifying individual security entities (see page 451)
    For more detailed information about setting up RACF, including RACF commands, please see the Application Restart Control Administration Manual or the administration section of the consolidated manual.



    Article Number:


    Article Type:


      Looking for additional information?    Search BMC Support  or  Browse Knowledge Articles