Defining RACF for IMS Security

If RACF is set up for IMS transactions and commands, you must establish a minimal setup.

One symptom of missing RACF definitions is the appearance of messages such as the following: 

DFS3187W RACF NOT ACTIVE FOR RESUME TPIPE CLASS=RIMS RC=04. RACF
EXIT RC=04 REASON CODE=00. IMS SSID
The following steps are presented as a guideline:
Note: The group IMSCMDS is assumed to have full authority to all IMS commands and transactions.
  1. Define the following three IMS RACF classes as generic profile checking classes:

    TSO SETROPTS GENERIC(CIMS RIMS TIMS) GENCMD(CIMS RIMS TIMS)

  2. Define a single, generic profile in the classes: 
    TSO RDEFINE CIMS (*) OWNER(SYS1) UACC(NONE)
TSO RDEFINE RIMS (*) OWNER(SYS1) UACC(NONE)
TSO RDEFINE TIMS (*) OWNER(SYS1) UACC(NONE)
  3. Allow access to RACF group IMSCMDS: 
    TSO PERMIT * CLASS(CIMS) ACCESS(READ) GENERIC ID(IMSCMDS)
TSO PERMIT * CLASS(RIMS) ACCESS(READ) GENERIC ID(IMSCMDS)
TSO PERMIT * CLASS(TIMS) ACCESS(READ) GENERIC ID(IMSCMDS)
  4. Activate the classes:

    TSO SETROPTS CLASSACT(CIMS RIMS TIMS)

You can define additional profiles with RDEFINE to limit the authority for specific transactions or commands, or to secure asynchronous hold queues, as necessary. For additional guidance on setting up RACF, see SecureWay Security Server RACF Security Administrator's Guide, SecureWay Security Server RACF Command Language Reference, and IMS Version 12 System Administration from IBM.