Creating RACF Facility Classes

The platform server uses RACF facility classes to determine whether a user is authorized to perform certain platform server maintenance functions.

The platform server uses the following two types of facility classes to validate whether a user is authorized for a function:

  • REXX/ISPF inquiry and profile authorization
  • Command Center functions

Procedure

  1. Create the REXX/ISPF inquiry and profile facility under RACF.
    The GLOBAL BOSSID parameter, which is defined in GLOBAL Startup Parameters, defines a facility class that is used for authorization checking for the REXX/ISPF interface and the user profile.

    For example, BOSSID=$FUSION:

    • To define this facility under RACF, you can use the following RACF command:

      RDEFINE FACILITY $FUSION UACC(NONE)

    • To make a user a platform server ISPF/REXX administrator, you must give them READ authorization to the profile using the following command:

      PERMIT $FUSION CLASS(FACILITY) ID(userid) ACCESS(READ)

    • To make a user a platform server profile administrator, you must give them CONTROL authorization to the profile using the following command:

      PERMIT $FUSION CLASS(FACILITY) ID(userid) ACCESS(CONTROL)

    For more information on platform server user profiles, REXX interface, and ISPF interface, see TIBCO Managed File Transfer Platform Server for z/OS User's Guide.

  2. Create a read only REXX/ISPF inquiry and profile facility.
    In addition to the processing defined in Step 1, you can define an additional facility class to give ISPF users the authority to view but not update transfer requests. This facility adds the suffix .READ to the GLOBAL BOSSID parameter. When a user has READ access to this facility class, the TSO user can perform the following functions:
    • View all transfers.
    • Update only transfers where the transfer local user ID matches their TSO user ID.

    For example, BOSSID=$FUSION:

    • To define this facility under RACF, you can use the following RACF command:

      RDEFINE FACILITY $FUSION.READ UACC(NONE)

    • To make a user a platform server ISPF/REXX administrator, you must give them READ authorization to the $FUSION.READ facility use the following RACF command:

      PERMIT $FUSION.READ CLASS(FACILITY) ID(useid) ACCESS(READ)

    At this point, the platform server will also check the facility class $FUSION.READ. If a user has access to this facility class, the user can read but not update transfer requests.
    Note: The .READ facility class is only checked if the user does not have access to the facility class defined by the BOSSID parameter.
  3. Create the Command Center facility classes.

    Four GLOBAL parameters define the names of the facility classes that are used to determine whether a user is authorized for Command Center functions.

    For example, the four parameters are defined as follows in the GLOBAL member of the platform server SAMPLIB. For more information, see GLOBAL Startup Parameters. 

    CCC_BROWSE_FACILITY=$CCC.BROWSE
CCC_ALTER_FACILITY=$CCC.ALTER
CCC_ADMIN_FACILITY=$CCC.ADMIN
CCC_TRANSFER_FACILITY=$CCC.TRANSFER

    • To define these facilities under RACF, you can use the following RACF commands: 

      RDEFINE FACILITY $CCC.BROWSE UACC(NONE)
RDEFINE FACILITY $CCC.ALTER UACC(NONE)
RDEFINE FACILITY $CCC.ADMIN UACC(NONE)
RDEFINE FACILITY $CCC.TRANSFER UACC(NONE)
    • To make a Command Center user authorized for all Command Center functions, you must give them READ authorization to the facility defined by the CCC_ADMIN_FACILITY parameter by using the following command:

      PERMIT $CCC.ADMIN CLASS(FACILITY) ID(userid) ACCESS(READ)

    • To make a Command Center user authorized for inquiry on completed transfers, you must give them READ authorization to the facility defined by the CCC_BROWSE_FACILITY parameter by using the following command:

      PERMIT $CCC.BROWSE CLASS(FACILITY) ID(userid) ACCESS(READ)

    • To make a Command Center user authorized for altering transfers on the platform server queue, you must give them READ authorization to the facility defined by the CCC_ALTER_FACILITY parameter by using the following command:

      PERMIT $CCC.ALTER CLASS(FACILITY) ID(userid) ACCESS(READ)

    • To make a Command Center user authorized for initiating transfers, you must give them READ authorization to the facility defined by the CCC_TRANSFER_FACILITY parameter by using the following command:

      PERMIT $CCC.TRANSFER CLASS(FACILITY) ID(userid) ACCESS(READ)