What are the minimum ACF2 authorization requirements for the callers of Workload Management services IWMSRDRS (Deregister a server for sysplex routing) and IWMSRSRG (Register a server for sysplex routing)?

Document ID : KB000106819
Last Modified Date : 16/07/2018
Show Technical Document Details
Question:
What are the minimum ACF2 authorization requirements for the callers of Workload Management services IWMSRDRS (Deregister a server for sysplex routing) and IWMSRSRG (Register a server for sysplex routing)?
Answer:
Starting with z/OS® V2R2, the minimum authorization requirements for the callers of Workload Management services IWMSRDRS (Deregister a server for sysplex routing) and IWMSRSRG (Register a server for sysplex routing) are as follows.

If resource BPX.WLMSERVER is defined in the FACILITY class, an unauthorized caller requires access authority to this resource or the IWM.SERVER.REGISTER resource in the FACILITY class. 

If the server to be registered or deregistered is not the home address it is an unauthorized caller, one of the following is required: 
  • Supervisor state. 
  • Program key mask (PKM) allowing at least one of the keys 0-7. 
  • The caller has at least READ authority to the resource IWM.SERVER.REGISTER in the FACILITY class. If this resource is not defined, READ authority to the FACILITY class resource BPX.WLMSERVER is required. 
Sample ACF2 resource rules follow.

ACF
SET RESOURCE(FAC)
RECKEY BPX ADD( WLMSERVER UID(UID string of unauth caller) SERVICE READ(ALLOW))
F ACF2,REBUILD(FAC)

SET RESOURCE(FAC)
RECKEY IWM ADD( SERVER.REGISTER UID(UID string of unauth caller) SERVICE READ(ALLOW))
F ACF2,REBUILD(FAC)


For more information, see IBM z/OS MVS Programming: Workload Management Services.