How can I control Authorized MVS Macros for Extended MCS Consoles?

Document ID : KB000028119
Last Modified Date : 14/02/2018
Show Technical Document Details

Question:

How can I control Authorized MVS Macros for Extended MCS Consoles?

 

Answer:

The following examples show how to use CA-ACF2 to control the use of the MVS authorized macros for an extended MCS console user.

Controlling APF Lists

CSVAPF is an authorized MVS macro that allows you to perform APF list processing from an application program. The use of the CSVAPF macro, for processing authorized program facility (APF) lists can be controlled with external Security. The following CSVAPF facility rule controls who can make the APF list DYNAMIC and who can make the APF list STATIC. To allow access to these resources, issue the following commands to create and store the necessary rule:

SET RESOURCE(FAC) 
COMPILE
.$KEY(CSVAPF) TYPE(FAC)
.MVS.SETPROG.FORMAT.DYNAMIC UID(uidmask) SERVICE(UPDATE) ALLOW
.MVS.SETPROG.FORMAT.STATIC UID(uidmask) SERVICE(UPDATE) ALLOW
.END
STORE

Controlling Dynamic Exits

CSVDYNEX is an authorized MVS macro that allows you to perform the same dynamic exit processing from an application program, along with defining a dynamic exit, calling the exit routines associated with a dynamic exit, providing recovery for an exit call, and obtaining a list of the dynamic exits. The use of the CSVDYNEX macro, for processing dynamic exits can be controlled by external security.

The following CSVDYNEX facility rule controls:

  1. Who can define a dynamic exit via the REQUEST=DEFINE option of the CSVDYNEX macro for exit named "exitname".
  2. Who can add an exit routine to a dynamic exit, or modify or delete an exit routine routine named "routine" to exit named "exitname" associated with a dynamic exit.
  3. Who can undefine a dynamic exit named "exitname".
  4. Who can obtain a list of the dynamic exits via the REQUEST=LIST option of the CSVDYNEX macro for exit named "exitname".
  5. Who can call a dynamic exit's routines via the REQUEST=CALL option of the CSVDYNEX macro for exit named "exitname".
  6. Who can use the REQUEST=RECOVER option of the CSVDYNEX macro to have the system complete its recovery processing of a prior use of CSVDYNEX REQUEST=CALL option of the CSVDYNEX macro for exit named "exitname".

To allow access to these resources, issue the following commands to create and store the necessary rule:

ACF             
SET RESOURCE(FAC)
COMPILE
.$KEY(CSVDYNEX) TYPE(FAC)
.exitname.DEFINE (uidmask) SERVICE(UPDATE) ALLOW
.exitname.routine (uidmask) SERVICE(UPDATE) ALLOW
.exitname.UNDEFINE (uidmask) SERVICE(UPDATE) ALLOW
.exitname.LIST (uidmask) SERVICE(READ) ALLOW
.exitname.CALL (uidmask) SERVICE(UPDATE) ALLOW
.exitname.RECOVER (uidmask) SERVICE(UPDATE) ALLOW
.END
STORE

Controlling LNKLST Concatenations

CSVDYNL is an authorized MVS macro that allows you to perform LNKLST processing from an application program. The use of the CSVDYNL macro, for processing LNKLSTs can be controlled by external security.

The following CSVDYNL facility rule controls:

  1. Who can use the REQUEST=DEFINE option of the CSVDYNL macro for LNKLST set named "lnklist".
  2. Who can add a data set to LNKLST set named "lnklist".
  3. Who can delete a data set to LNKLST set named "lnklist".
  4. Who can remove the definition of LNKLIST set named "lnklist".
  5. Who can test LNKLIST set named "lnklist".
  6. Who can update a job to use the current LNKLIST set named "lnklist".
  7. Who can activate LNKLIST set named "lnklist".

To allow access to these resources, issue the following commands to create and store the necessary rule:

ACF     
SET RESOURCE(FAC)
COMPILE
.$KEY(CSVDYNL.) TYPE(FAC)
.lnklist.DEFINE UID(uidmask) SERVICE(UPDATE) ALLOW
.lnklist.ADD UID(uidmask) SERVICE(UPDATE) ALLOW
.lnklist.DELETE UID(uidmask) SERVICE(UPDATE) ALLOW
.lnklist.UNDEFINE UID(uidmask) SERVICE(UPDATE) ALLOW
.lnklist.TEST UID(uidmask) SERVICE(READ) ALLOW
.lnklist.UPDATE UID(uidmask) SERVICE(UPDATE) ALLOW
.lnklist.ACTIVATE UID(uidmask) SERVICE(UPDATE) ALLOW
.END
STORE

Controlling Dynamic LPA

CSVDYLPA is an authorized MVS macro that allows you to perform the dynamic LPA processing from an application program. The use of the CSVDYLPA macro, for processing Dynamic LPA can be controlled by external security.

The following CSVDYLPA facility rule controls:

  1. Who can add module named "module" to the LPA.
  2. Who can delete module named "module" from the LPA.

To allow access to these resources, issue the following commands to create and store the necessary rule:

ACF    
SET RESOURCE(FAC)
COMPILE
.$KEY(CSVDYLPA) TYPE(FAC)
.ADD.module UID(uidmask) SERVICE(UPDATE) ALLOW
.DELETE.module UID(uidmask) SERVICE(UPDATE) ALLOW
.END
STORE

Controlling LLA Refresh

If you are using the library lookaside (LLA) facility MVS, you can control a program's ability to use the LLACOPY macro. To authorize CICS jobs to use this macro by giving each CICS job UPDATE authority to the CSVLLA data set resource in the FACILITY class for each LLA-controlled data set named "lladataset" used by that job.

To allow access to these resources, issue the following commands to create and store the necessary rule:

ACF    
SET RESOURCE(FAC)
COMPILE
.$KEY(CSVLLA) TYPE(FAC)
.lladataset UID(uidmask) SERVICE(UPDATE) ALLOW
.END
STORE

Note: If the FACILITY resource class is specified as resident in the GSO INFODIR record, any rule changes or additions can be activated by issuing the following operator commands:

F ACF2,REBUILD(FAC)