Example of RACF commands compared with Active Directory definitions

Access Type

Active Directory definitions in LDIF format

FCT control:

RACF Command:

RDEFINE FCICSFCT (file1, file2, .., filen)
  UACC(NONE)
  
  NOTIFY(sys_admin_userid)
  PERMIT file1 CLASS(FCICSFCT) ID(group1, group2) ACCESS(UPDATE)
  PERMIT file2 CLASS(FCICSFCT) ID(group1, group2) ACCESS(READ)

Default CICS CLASS used: FCICSFCT

Parameters passed to ESM:

  Entity: File ID
  Facility: Terminal
  Transaction active

dn: CN=FCICSFCT,CN=Enterprise Server Resources,CN=Micro Focus,CN=Program Data,DC=local

changetype: add
  objectClass: top
  objectClass: container
  description: CICS Class for FCT

dn: CN=FILESAF,CN=FCICSFCT,CN=Enterprise Server Resources,CN=Micro Focus,CN=Program Data,DC=local

changetype: delete

dn: CN=FILESAF,CN=FCICSFCT,CN=Enterprise Server Resources,CN=Micro Focus,CN=Program Data,DC=local

changetype: add
  objectClass: microfocus-MFDS-Resource
  microfocus-MFDS-Resource-Class: FCICSFCT
  microfocus-MFDS-Resource-ACE: allow:SAFU:update
  microfocus-MFDS-Resource-ACE: allow:PLTPISUR:update
  microfocus-MFDS-Resource-ACE: allow:SYSADM
  group:update
  microfocus-MFDS-Resource-ACE: allow:OPERATOR
  group:update
  microfocus-MFDS-Resource-ACE: deny:*:execute
  microfocus-MFDS-UID: mfuid
  description: FILE used by test
DCT control:

RACF Command:

RDEFINE  DCICSDCT  (qid1, qid2, ..., qidn) UACC(NONE)
                   NOTIFY(sys_admin_userid)
PERMIT qid1 CLASS(DCICSDCT) ID(group1, group2) ACCESS(UPDATE)
PERMIT qid2 CLASS(DCICSDCT) ID(group1, group2) ACCESS(UPDATE)

Default CICS CLASS used: DCICSDCT

Parameters passed to ESM:

		  Entity: DCT queue ID
		  Facility: Terminal
		  Transaction active
dn: CN=DCICSDCT,CN=Enterprise
  Server Resources,CN=Micro Focus,CN=Program Data,DC=local
  changetype: add
  objectClass: top
  objectClass: container
  description: CICS Class for DCT
  
  dn: CN=STDQ,CN=DCICSDCT,CN=Enterprise Server Resources,CN=Micro Focus,CN=Program Data,DC=local
  changetype: delete
  
  dn: CN=STDQ,CN=DCICSDCT,CN=Enterprise Server Resources,CN=Micro Focus,CN=Program Data,DC=local
  changetype: add
  objectClass: microfocus-MFDS-Resource
  microfocus-MFDS-Resource-Class: DCICSDCT
  microfocus-MFDS-Resource-ACE: allow:SAFU:update
  microfocus-MFDS-Resource-ACE: deny:*:execute
  microfocus-MFDS-UID: mfuid
  description: TDQ used by test
  
TST control:

RACF Command:

RDEFINE  SCICSTST  (tsqueue1, tsqueue2, ..., tsqueuen)			 UACC(NONE)
                   NOTIFY(sys_admin_userid)
PERMIT tsqueue1 CLASS(SCICSTST) ID(group1, group2)
			 ACCESS(UPDATE)
PERMIT tsqueue2 CLASS(SCICSTST) ID(group1, group2)
			 ACCESS(UPDATE)

Default CICS CLASS used: SCICSTST

Parameters passed to ESM:

Entity: TST queue ID
			 Facility: Terminal
    Transaction active
dn: CN=SCICSTST,CN=Enterprise
  Server Resources,CN=Micro Focus,CN=Program Data,DC=local
  changetype: add
  objectClass: top
  objectClass: container
  description: CICS Class for TST
  
  dn: CN=STSQ,CN=SCICSTST,CN=Enterprise Server Resources,CN=Micro Focus,CN=Program Data,DC=local
  changetype: delete
  
  dn: CN=STSQ,CN=SCICSTST,CN=Enterprise Server Resources,CN=Micro Focus,CN=Program Data,DC=local
  changetype: add
  objectClass: microfocus-MFDS-Resource
  microfocus-MFDS-Resource-Class: SCICSTST
  microfocus-MFDS-Resource-ACE: allow:SAFU:update
  microfocus-MFDS-Resource-ACE: deny:*:execute
  microfocus-MFDS-UID: mfuid
  description: TSQUEUE used by test
  
JCT control:

RACF Command:

RDEFINE  KCICSJCT  userjnls UACC(NONE)
                   ADDMEM(JRNL001, JRNL002, ....)
                   NOTIFY(sys_admin_userid)
PERMIT   userjnls  CLASS(KCICSJCT) ID(group_userid)
			 ACCESS(UPDATE)

Default CICS CLASS used: JCICSJCT

Parameters passed to ESM:

  Entity: JCT ID
  Facility: Terminal
  Transaction active
dn: CN=JCICSJCT,CN=Enterprise
  Server Resources,CN=Micro Focus,CN=Program Data,DC=local
  changetype: add
  objectClass: top
  objectClass: container
  description: CICS Class for JCT
  
  dn: CN=01,CN=JCICSJCT,CN=Enterprise Server Resources,CN=Micro Focus,CN=Program Data,DC=local
  changetype: delete
  
  dn: CN=01,CN=JCICSJCT,CN=Enterprise Server Resources,CN=Micro Focus,CN=Program Data,DC=local
  changetype: add
  objectClass: microfocus-MFDS-Resource
  microfocus-MFDS-Resource-Class: JCICSJCT
  microfocus-MFDS-Resource-ACE: allow:SAFU:control
  microfocus-MFDS-Resource-ACE: deny:*:execute
  microfocus-MFDS-UID: mfuid
  description: JOURNAL used by test
EXEC CICS START control:

RACF Command:

RDEFINE  ACICSPCT (tran1, tran2, ..., trann) UACC(NONE)
                  NOTIFY(sys_admin_userid)
PERMIT  tran1 CLASS(ACICSPCT)  ID(userid) ACCESS(READ)
PERMIT  tran2 CLASS(ACICSPCT)  ID(userid) ACCESS(READ)

Default CICS CLASS used:

  • TCICSTRN if a terminal is used on the EXEC CICS START
  • ACICSPCT if no terminal is used on the EXEC CICS START
  • SURROGAT if a user is specified on the EXEC CICS START

Parameters passed to ESM:

  • For TCICSTRN and ACICSPCT

    Entity: Transaction ID

    Facility: Terminal

  • For SURROGAT

    Entity: Surrogate Userid

    Entity-1-ptr: Surrogate ACEE

    Facility: Terminal

dn: CN=ACICSPCT,CN=Enterprise Server Resources,CN=Micro
			 Focus,CN=Program Data,DC=local changetype: add objectClass: top objectClass: container
			 description: CICS Class for started transactions dn: CN=TCICSTRN,CN=Enterprise
			 Server Resources,CN=Micro Focus,CN=Program Data,DC=local changetype: add objectClass: top
			 objectClass: container description: CICS Class for TRANSACTIONS dn:
			 CN=SSST,CN=ACICSPCT,CN=Enterprise Server Resources,CN=Micro Focus,CN=Program Data,DC=local
			 changetype: delete dn: CN=SSST,CN=ACICSPCT,CN=Enterprise Server
			 Resources,CN=Micro Focus,CN=Program Data,DC=local changetype: add objectClass:
			 microfocus-MFDS-Resource microfocus-MFDS-Resource-Class: ACICSPCT
			 microfocus-MFDS-Resource-ACE: allow:SAFU:read microfocus-MFDS-Resource-ACE:
			 allow:SAFUSUR:read microfocus-MFDS-Resource-ACE: deny:*:execute
			 microfocus-MFDS-UID: mfuid description: CICS START with SURROGAT dn:
			 CN=SAFT,CN=TCICSTRN,CN=Enterprise Server Resources,CN=Micro Focus,CN=Program Data,DC=local
			 changetype: delete dn: CN=SAFT,CN=TCICSTRN,CN=Enterprise Server
			 Resources,CN=Micro Focus,CN=Program Data,DC=local changetype: add objectClass:
			 microfocus-MFDS-Resource microfocus-MFDS-Resource-Class: TCICSTRN
			 microfocus-MFDS-Resource-ACE: allow:SAFU:read microfocus-MFDS-Resource-ACE:
			 deny:*:execute microfocus-MFDS-UID: mfuid description: Transaction used by
			 test

EXEC CICS LINK/XCTL/LOAD control:

RACF Command:

RDEFINE  MCICSPPT  (prog1, prog2, ..., progn)  UACC(NONE)
                  NOTIFY(sys_admin_userid)
PERMIT  prog1 CLASS(MCICSPPT)  ID(userid) ACCESS(READ)
PERMIT  prog2 CLASS(MCICSPPT)  ID(userid) ACCESS(READ)

Default CICS CLASS used: MCICSPPT

Parameters passed to ESM:

  • Entity: Program Name
  • Facility: Terminal
  • Transaction active
dn: CN=MCICSPPT,CN=Enterprise
  Server Resources,CN=Micro Focus,CN=Program Data,DC=local
  changetype: add
  objectClass: top
  objectClass: container
  description: CICS Class for PPT
  
  dn: CN=SAFLINK,CN=MCICSPPT,CN=Enterprise Server Resources,CN=Micro Focus,CN=Program Data,DC=local
  changetype: delete
  
  dn: CN=SAFLINK,CN=MCICSPPT,CN=Enterprise Server Resources,CN=Micro Focus,CN=Program Data,DC=local
  changetype: add
  objectClass: microfocus-MFDS-Resource
  microfocus-MFDS-Resource-Class: MCICSPPT
  microfocus-MFDS-Resource-ACE: allow:SAFU:control
  microfocus-MFDS-Resource-ACE: deny:*:execute
  microfocus-MFDS-UID: mfuid
  description: Program to test LINK
EXEC CICS SET/INQUIRE/ENABLE/DISABLE control:

RACF Command:

RDEFINE  CCICSCMD CMDSAMP UACC(NONE)
			       NOTIFY(sys_admin_userid)
                  ADDMEM(AUTINSTMODEL, AUTOINSTALL, CONNECTION,
                  DSNAME, TRANSACTION, TRANDUMPCODE, VTAM)
PERMIT CMDSAMP CLASS(VCICSCMD) ID(operator_group) ACCESS(READ)
Default CICS CLASS used: CCICSCMD
  Parameters passed to ESM: 
  
  Entity: Resource name
  
  Facility: Terminal
  
  Transaction active
  Resource Name can be: 
  'PROCESSTYPE'.
  'LINE'.
  'MVSTCB'.
  'LSRPOOL'.
  'MAPSET'.
  'PARTITIONSET'.
  'SESSIONS'.
  'TYPETERM'.
  'EXITPROGRAM'.
  'JOURNALMODEL'.
  'REQID'.
  'TRACEDEST'.
  'TRACEFLAG'.
  'TRACETYPE'.
  'TSQUEUE'.
  'AUTINSTMODEL'.
  'AUTOINSTALL'.
  'BRFACILITY'.
  'CLASSCACHE'.
  'CONNECTION'.
  'CORBASERVER'.
  'DB2CONN'.
  'DB2ENTRY'.
  'DB2TRAN'.
  'DELETSHIPPED'.
  'DISPATCHER'.
  'DJAR'.
  'DOCTEMPLATE'.
  'DSNAME'.
  'DUMPDS'.
  'ENQMODEL'.
  'EXCI'.
  'FILE'.
  'IRC'.
  'JOURNALNAME'.
  'JVM'.
  'JVMPOOL'.
  'JVMPROFILE'.
  'MODENAME'.
  'MONITOR'.
  'PARTNER'.
  'PROFILE'.
  'PROGRAM'.
  'REQUESTMODEL'.
  'STATISTICS'.
  'STORAGE'.
  'STREAMNAME'.
  'SYSDUMPCODE'.
  'SYSTEM'.
  'TASK'.
  'TCLASS'.
  'TCPIP'.
  'TCPIPSERVICE'.
  'TDQUEUE'.
  'TERMINAL'.
  'TRANDUMPCODE'.
  'TRANSACTION'.
  'TSMODEL'.
  'TSPOOL'.
  'TSQNAME'.
  'UOW'.
  'UOWDSNFAIL'.
  'UOWENQ'.
  'UOWLINK'.
  'VTAM'.
  'WEB'.
  'WORKREQUEST'.
  'DUMP'.
  'RESETTIME'.
  'FEPIRESOURCE'.
  'BEAN'.
  'CFDTPOOL'.
  'RRMS'.
  'SUBPOOL'.
  'SECURITY'.
  'SHUTDOWN'.
  'UNKNOWN'.
dn: CN=CCICSCMD,CN=Enterprise
  Server Resources,CN=Micro Focus,CN=Program Data,DC=local
  changetype: add
  objectClass: top
  objectClass: container
  description: CICS Class for CMDS
  
  dn: CN=PROGRAM,CN=CCICSCMD,CN=Enterprise Server Resources,CN=Micro Focus,CN=Program Data,DC=local
  changetype: delete
  
  dn: CN=PROGRAM,CN=CCICSCMD,CN=Enterprise Server Resources,CN=Micro Focus,CN=Program Data,DC=local
  changetype: add
  objectClass: microfocus-MFDS-Resource
  microfocus-MFDS-Resource-Class: CCICSCMD
  microfocus-MFDS-Resource-ACE: allow:PLTPISUR:control
  microfocus-MFDS-Resource-ACE: allow:SAFU:control
  microfocus-MFDS-Resource-ACE: allow:SYSADM
  group:control
  microfocus-MFDS-Resource-ACE: deny:*:execute
  microfocus-MFDS-UID: mfuid
  description: PROGRAM entity for EXEC CICS SET/ENABLE/DISABLE commands
  
  dn: CN=EXITPROGRAM,CN=CCICSCMD,CN=Enterprise Server
  Resources,CN=Micro Focus,CN=Program Data,DC=local
  changetype: delete
  
  dn: CN=EXITPROGRAM,CN=CCICSCMD,CN=Enterprise Server
  Resources,CN=Micro Focus,CN=Program Data,DC=local
  changetype: add
  objectClass: microfocus-MFDS-Resource
  microfocus-MFDS-Resource-Class: CCICSCMD
  microfocus-MFDS-Resource-ACE: allow:PLTPISUR:control
  microfocus-MFDS-Resource-ACE: allow:SAFU:control
  microfocus-MFDS-Resource-ACE: allow:SYSADM
  group:control
  microfocus-MFDS-Resource-ACE: deny:*:execute
  microfocus-MFDS-UID: mfuid
  description: EXITPROGRAM entity for EXEC CICS SET/ENABLE/DISABLE commands
  
  dn: CN=TRANSACTION,CN=CCICSCMD,CN=Enterprise Server
  Resources,CN=Micro Focus,CN=Program Data,DC=local
  changetype: delete
  
  dn: CN=TRANSACTION,CN=CCICSCMD,CN=Enterprise Server
  Resources,CN=Micro Focus,CN=Program Data,DC=local
  changetype: add
  objectClass: microfocus-MFDS-Resource
  microfocus-MFDS-Resource-Class: CCICSCMD
  microfocus-MFDS-Resource-ACE: allow:PLTPISUR:control
  microfocus-MFDS-Resource-ACE: allow:SAFU:control
  microfocus-MFDS-Resource-ACE: allow:SYSADM
  group:control
  microfocus-MFDS-Resource-ACE: deny:*:execute
  microfocus-MFDS-UID: mfuid
  description: TRANSACTION entity
   
EXEC CICS QUERY SECURITY control:
Default CICS CLASS used: 
     Restype: DB2ENTRY Class DB2ENTRY
             FILE  Class FCICSFCT
             JOURNALNAME Class JCICSJCT
             JOURNALNUM Class JCICSJCT
             PROGRAM  Class MCICSPPT
             PSB  Class PCICSPSB
             SPCOMMAND Class CCISCMD
             TDQUEUE Class DCICSDCT
             TRANSACTION Class TCICSTRN
             TRANSATTACH Class ACICSPCT
             TSQUEUE Class SCICSTST
   

Parameters passed to ESM:

  • Entity: RESID
  • Facility: Terminal
  • Transaction active

 

CASSTART/CASSTOP/CASFILE/CASSUB/CASOUT Commands control :

CLASS used: OPERCMDS Parameters passed to ESM:

Entity: Command (casstart/casstop/casfile/cassub/casout)

dn: CN=OPERCMDS,CN=Enterprise
  Server Resources,CN=Micro Focus,CN=Program Data,DC=local
  changetype: add
  objectClass: top
  objectClass: container
  description: CICS Class for casstart/casstop/casfile....
  
  dn: CN=casstart,CN=OPERCMDS,CN=Enterprise
  Server Resources,CN=Micro Focus,CN=Program Data,DC=local
  changetype: delete
  
  dn: CN=casstart,CN=OPERCMDS,CN=Enterprise
  Server Resources,CN=Micro Focus,CN=Program Data,DC=local
  changetype: add
  objectClass: microfocus-MFDS-Resource
  microfocus-MFDS-Resource-Class: OPERCMDS
  microfocus-MFDS-Resource-ACE: allow:SAFU:alter
  microfocus-MFDS-Resource-ACE: allow:SYSAD:alter
  microfocus-MFDS-Resource-ACE: allow:SYSADM
  group:alter
  microfocus-MFDS-Resource-ACE: deny:*:execute
  microfocus-MFDS-UID: mfuid
  description: casstart users

Related topics: