User resource class $BETA

Overview

All Beta product security checking takes place using the SAF (System Authorization Facility) calling conventions of RACF (Resource Access Control Facility), or an equivalent SAF-compatible security product. Beta product resources are defined to RACF in the user resource class $BETA.

Class descriptor table

All the resource classes used in the RACF installation are defined in the RACF class descriptor table. Classes can be defined as static classes or as dynamic classes.

BSA.SAMPLIB members for defining $BETA

Member RACF#CDT in the BSA.SAMPLIB contains a set of sample RACF commands for defining $BETA as a static class or as a dynamic class.

Modify the sample members to suit your security requirements. Parameters ID= (static classes only) and POSIT= (static and dynamic classes) must be modified so that they are unique at your installation.

Member RACF#ASM in the BSA.SAMPLIB contains a sample job to assemble and link the class descriptor table.

Static or dynamic class

Defining a static class requires an IPL to enable this class to take effect.

Defining a dynamic class does not require an IPL.

IBM recommendation: All classes that are not standard IBM classes should be defined dynamically.

Defining a static class

Following is an example for defining $BETA as a static class:

+-----------------------------------------------------------------------+
| PRINT GEN |
|$BETA ICHERCDE CLASS=$BETA, + |
| ID=145, + |
| MAXLNTH=64, + |
| FIRST=ANY, + |
| OTHER=ANY, + |
| POSIT=45, + |
| OPER=NO, + |
| DFTUACC=NONE |
| ICHERCDE |
| END |
+-----------------------------------------------------------------------+

Note: An IPL is necessary for this newly defined class to take effect.

Defining a dynamic class

Following is an example for defining $BETA as a dynamic class:

+-----------------------------------------------------------------------+
| RDEFINE CDT $BETA CDTINFO( + |
| MAXLENGTH(64) + |
| FIRST(ALPHA,NATIONAL,NUMERIC,SPECIAL) + |
| OTHER(ALPHA,NATIONAL,NUMERIC,SPECIAL) + |
| POSIT(45) + |
| OPERATIONS(NO) + |
| DEFAULTUACC(NONE) + |
| ) |
+-----------------------------------------------------------------------+

Note: SETROPTS RACLIST (CDT) REFRESH must be executed for this newly defined class to take effect.

Sample definitions

The samples are defined as follows:

  • MAXLNTH / MAXLENGTH:The maximum length of a resource name is 64 characters. This is sufficient for all Beta product resources.
  • FIRST and OTHER: ANY characters can be used in both the FIRST and OTHER position of the resource names of static classes. When working with dynamic classes, however, FIRST and OTHER must be specified as shown in the second example above.

    Note: The set of characters that can be used is restricted by the Beta product security exit BnnUXSEC, which allows only a subset of special characters for resource names. See the description of the sample product security exit in the product Installation and System Guide for a list of permitted characters.

  • OPER / OPERATIONS: A user with the attribute OPERATIONS does not automatically have access to this class.
  • DFTUACC /DEFAULTUACC: The default universal access is NONE. The default universal access comes into effect whenever a profile is defined to RACF without specifying the universal access (UACC) for this resource.

Notes

  • We recommend that you specify parameter RACLIST=ALLOWED to optimize the use of resources.
  • If you want to define generic profiles in class $BETA, remember to define them as generic and to activate generic profile checking (options GENCMD and GENERIC). This has to be done before the first profile is defined.
  • For more information, see the IBM manual RACF Macros and Interfaces.