How to implement RACF as the security system for TPX ?

Document ID : KB000025378
Last Modified Date : 14/02/2018
Show Technical Document Details

Question:

How to implement RACF as the security system for TPX ?

Answer:

Steps required to setup TPX / RACF as the security system for authentication.

  • Specify "RACF" or "SAF" in the "Security System" field of the SMRT - Security Parameters.

    • SAF is preferred because it allows you to use features such as security messages.

  • You can use the Security Action/Message Table (SAMT) to customize the response of TPX to messages produced by RACF. (optional)

  • You can use the RACF interface to specify how TPX determines profiles for dynamic users. (optional)

    • "Dynamic users" are users who are not maintained by TPX administration. Their profiles are not determined by records in the ADMIN files, but instead are determined when the dynamic user logs on.

  • Define all profiles to be used to TPX

    Here are two methods for defining profile selection:

    • USER-LEVEL PROFILE SELECTION

      1. Specify "Y" in the "Load profiles at startup" field of the SMRT (Performance Parameters).
      2. Specify "USER" in the "Profile Selection" field of the SMRT (Performance Parameters).
      3. In RACF, specify each profile as a RACF Group.
      4. In RACF, specify the Group names in each user's security record.
      5. For each Group name, a profile with a matching name will be added to the user's profile list.

    • PROFILE-LEVEL PROFILE SELECTION

      1. Specify "Y" in the "Load profiles at startup" field of the SMRT (Performance Parameters).
      2. Set up a new class in the RACF Class Descriptor field, ICHRRCDE. Use the ICHERCDE macro to create this class.
      3. Activate the RACF Resource Class with the SETROPTS CLASSACT command.
      4. Define the RACF Resource Class to TPX by specifying it's name in the "Resource Class" field of the SMRT (Security Parameters).
      5. Set up a rule in the class for each profile, specifying which users can use that profile.
      6. Indicate which profile should appear first in the user's list of profiles by entering "Y" in the "Profile Should be First" field of the profile. (Field is in Profile Maintenance, under User/Group Maintenance.)

NOTE: The TPXUSNSF exit can be used to add profiles to or delete profiles from the list provided by the security system.

Example of PROFILE-LEVEL PROFILE SELECTION

SMRT
 
    Security Parameters                                                        
    -------------------                                                        
  * Security System:           RACF       * Profile Selection:         PROF
  * Alias Name:                           * Resource Class:            CA$TPX
 
   Performance Parameters
   ----------------------
    VTAM Authorized Path Facility:      Y
    Large Message Processing Option:    Y
    Rtasks (Number of servers):         03
    Load profiles at startup:           Y
                                 
 
    RACF: DEFINE THE NEW CLASS AND DEFINE THE NEW CLASS TO THE ROUTER TABLE
        
             LABEL      ICHERCDE CLASS=CA$TPX,
                        DFTUACC=NONE,
                        FIRST=ALPHA,
                        ID=nn   (128-255)
                        KEYQUAL=0,
                        MAXLNTH=39,
                        OPER=NO,
                        OTHER=ANY
                        POSIT=nnn (SEE RACF CUSTOMIZATION)

             LABEL      ICHRFRTB ACTION=RACF,
                        CLASS=CA$TPX

   DEFINE THE FOLLOWING
             SETROPTS CLASSACT(CA$TPX)
             SETROPTS GENERIC(CA$TPX)
             RDEFINE CA$TPX profname     UACC(NONE)
             .
             .
             .
             PERMIT profname CLASS(CA$TPX) ID(USERID) ACCESS(READ)
             .
             .
             .

MAXLNTH can remain 39 although it can be reduced to the max length of the profile name, so 8 would also be OK.

RACLIST=ALLOWED/DISALLOWED is not relevant from TPX perspective.
TPX does not issue a RACLIST or RACROUTE REQUEST=LIST to gather in one call all the profiles a user is authorized. TPX issues individual RACHECK or RACROUTE REQUEST=AUTH to validate which profiles loaded at startup from the TPX database a user is authorized to.

RACF READ permissions must be given to the user to read the profile.