IMS Security Settings
IMS can provide optional RACF security-checking capabilities in OTMA environments.
The optional RACF security-checking capabilities are listed as follows:
- Client bids: determining whether OTMA clients can connect to IMS for the purpose of sending end-user messages to IMS for processing.
- IMS commands: entered by end-users attached to OTMA clients.
- IMS transactions: entered by end-users attached to OTMA clients.
- Asynchronous hold queues: which verifies issuers of RESUME TPIPE, including Substation ES. (Messages are placed in the asynchronous queues by triggers.)
The OTMA security level for an IMS system determines whether IMS calls RACF to perform authorization checking for the above activities. However, regardless of the OTMA security level, IMS always invokes certain security exits, if they exist, including the Command Authorization Exit and the Security Reverification Exit.
- The OTMA security level for IMS. If the Transaction Authorization Exit is in IMS, IMS always invokes it if the OTMA security level is NONE.
- Whether RACF is invoked to process transaction authorization and the RACF resulting return code. Other OTMA security levels, namely, CHECK and FULL, result in IMS invoking RACF for transaction authorization processing.
If the Transaction Authorization Exit is in IMS, IMS invokes it if and only if RACF does not deny authorization. That is, if RACF grants a user-ID authorization to a transaction or if the transaction is not secured by RACF, IMS invokes the exit routine. Otherwise, IMS does not invoke that routine.
- Setup of OTMA Security Level
The OTMA security levels include NONE, CHECK, FULL, and PROFILE. Decide which one best meets your installation requirements. - Defining RACF for IMS Security
If RACF is set up for IMS transactions and commands, you must establish a minimal setup. - IMS Security Exits
If present, signon, command (DFSCCMD0), and transaction (DFSCTRN0) authorization exits might be called after RACF authorization occurs.