Started procedures have system-generated JOB statements that do not contain the USER, GROUP, or PASSWORD parameter. However, only users and groups can be specifically authorized to access RACF-protected resources. To give started procedures the same ability, you can use the RACF started procedures table (ICHRIN03) to associate the names of started procedures with RACF userids and group names. This option is part of a process that allows started procedures, such as JES, to have specific authorization to access RACF-protected resources, such as spool data sets. (If a started procedure uses a RACF-protected resource, you must define the started procedure to RACF in the started
procedures table, ICHRIN03.)
As with any other userid and group name, the userid and group name that you assign to a started procedure must be defined to RACF using the ADDUSER and ADDGROUP commands. You may also need to authorize the users and/or groups to the required resources using the PERMIT command. See the Command Language Reference for descriptions of the commands.
The started procedure name is always available to the exit routines, whether or not the name is coded in the module. It is available in the parameter list for the RACINIT SVC and in the ACEE control block for the RACHECK and
RACDEF SVCs.
If a started procedure is executed without associating its name with a
RACF-defined userid and group name, RACF uses the default userid (*) and group name (*) for authorization checking. The procedure can access
RACF -protected resources if the universal access authority for the resource is sufficient to allow the requested operation. No user verification (password checking) takes place for a started procedure's userid.
RACF allows the started procedures table to contain a generic entry, indicated by an asterisk (*) in the procedure name field. When searching the table for a procedure name match, if RACF finds a procedure name of "*,, as the last entry in the table and the procedure name was not specifically matched by any other entry in the table, RACF uses the "*,, entry as a match for the procedure name.
Chapter 5. RACF Options 5-15
RACF also allows you to specify individual entries in the started procedures table as "privileged"; this means that all RACHECKs done for those entries are considered successfpl, without actually performing any checking. In these cases, RACF does not call any exit routines, does not generate any SMF records, and does not update any statistics. This bypassing also applies to the checking done for the CHKAUTH operand on the RACDEF macro instruction. All other RACF processing occurs as usual.
Note: If "ENTITY = ( ... ,CSA)" is coded on the RACHECK macro instruction, RACF ignores the privileged attribute and performs normal RACHECK processing.
Note: A started procedure that has the privileged attribute bypasses any checking done by RACHECK, including category and security level checking. It can also access resources during failsoft processing without having RACF prompt the operator for permission.
Coding the Started Procedures Module
The RACF program product contains a module (ICHRIN03) that you may replace with your own table to associate the names of started procedures with userids and group names. There are no entries in the module when you receive it from IBM.
The table becomes part of the link pack area. Therefore, after replacing the module, you must re-IPL the system with the CLPA option for the new module to be in effect. (y ou could also load the module into the MLP A, so that the link pack area does not have to be recreated.)
The module (ICHRIN03) should consist of a table in the following format:
• Number of entries in the following array - a halfword of binary data, with the high-order bit turned on to indicate the new format used in RACF Version I Release 6 or later. (Use X'OOOO' or X'8000' if there are no entries.)
• An array - Each entry consists of 32 bytes of data. The first 24 bytes of character data show the started procedure name and its associated userid and group name. Format each entry as follows:
Started procedure name - eight bytes of character data. The name is required. The started procedure name must be left justified and padded on the right with blanks.
Userid - eight bytes of character data. A userid is required. The userid (or an equal sign for generic entries) must be left justified and padded on the right with blanks. (The maximum length of a userid is eight
characters. )
Group name - eight bytes of character data. The group name is optional.
If a group name (or an equal sign for generic entries) is used, it must be left justified and padded on the right with blanks. If a group name is not used, this field must contain blanks.
Generic Entries
Flags - one byte of binary data. Setting bit 0 on (X'80') indicates that this entry has the "privileged" attribute. The remaining seven bits must be zeroes. (See note.)
Reserved - seven bytes of binary data. These seven bytes must be binary zeroes.
Note: RACF accepts started procedures tables (including the use of generic entries) in the format used in RACF releases prior to Release 6. However, you cannot use the old format if you want to specify the privileged attribute.
The started procedures table can contain one generic entry, indicated by an asterisk (*) in the procedure name field. This entry must be the last entry in the table; otherwise, it is ignored. The corresponding userid in this entry can be a valid userid or an equal sign (=). The group name specified in the table entry can be either blanks, a valid group name, or an equal sign (=).
Note: You can use the equal sign only for a generic started procedures table entry; it is invalid fQr non-generic entries.
When searching the table for a procedure name match, if RACF finds a
procedure name of "*,, as the last entry in the table and the procedure name was not specifically matched by any other entry in the table, RACF uses the "*,, entry as a match for the procedure name.
If a userid is specified for the "*,, entry, RACF associates that userid with the started procedure name. If the userid field contains an "=", RACF uses the procedure name that was matched with the generic entry (*) as the userid.
If the group name is blank, the started procedure will execute using the default group in the profile record for the specified userid (specified on the ADD USER command). If the group name field contains an "=", RACF uses the procedure name that was matched with the generic entry (*) as the group name.
If the generic entry has an .. =" for the userid (or group. name), the procedure name that matches the equal sign must be defined t6 RACF as a u~erid (or group name); otherwise the procedure runs as an undefined RACF user (userid = *).
The userid and the group name cannot both contain values of " =" in the "*,, procedure name entry of the table because it is not possible to have a RACFuser and group with the same name. During RACF initialization, ICHSECOO inspects the table entries for a possible generic entry. If ICHSECOO finds a generic entry, and it is not the last entry, or if it contains an "=" in both the userid and group name fields, the system issues message ICH522I. This condition does not prevent RACF from being initialized. During execution, RACF ignores all the invalid entries, and all procedures that do not have an exact match in the table run as undefined users.
Chapter 5. RACF Options 5-17
If you do not specify an "*,, in the table, RACF uses the RACF default userid (*) and group name (*) for authorization checking.
Note: You should specify a password on the ADDUSER command for a started procedure. If you do not specify a password, RACF uses the userid default group as the password. Any user who knows the started procedure's default group can use the userid and default password to access the system.
The started procedures table (ICHRIN03) can include an entry indicated by an
"*,, in the procedure name field as the last entry in the table. The following examples show the possible formats of the "*,, procedure name entry. Note that none of these examples has the "privileged" flag bit on.
Example 1
COUNT PROC. USERID GROUP FLAGS RESERVED
X'8002' PROCl TSOl SYSl 00000000 7 bytes of X'OO'
* TS02 =
If RACF searched the started procedures table in Example I for the procedures name PROC2, it would not find a specific match. RACF would consider the "*,, entry in the table as a match for procedure PROC2. The userid associated with PROC2 is TS02, and the group name is PROC2.
RACF associates PROCI with userid TSOI and group SYSI.
Example 2
COUNT PROC. USERID GROUP FLAGS RESERVED
X'8002' PROCl TSOl SYSl 00000000 7 bytes of X'OO'
* =
If RACF ·searched the started procedures table in Example 2 for the procedures name PROC2, it would not find a specific match. RACF would consider the "*".
entry in the table as a match for procedure PROC2. The userid associated with PROC2 is PROC2, and the group name is the default group defined for RACF user PROC2.
Example 3
COUNT PROC. USERID GROUP FLAGS RESERVED
X'800l' PROCl TSOl SYSl 00000000 7 bytes of X'OO'
If RACF searched the started procedures table in Example 3 for the procedures name PROC2, it would not find a specific match. RACF would associate with PROC2 the default userid (*) and the default group name (*).
RACF associates PROCI with userid TSOI and group SYSI.
Example 4
COUNT PROC. USERID GROUP FLAGS RESERVED
X'8002' * TS02 SYS2 00000000 7 bytes of X'OO'
PROCI TSOI SYSI
If RACF searched the started procedures table in Example 4 for the procedures name PROC2, it would not find a specific match. Because the last entry in the table does not contain an "*,, procedure name, RACF issues an error message during RACF initialization. RACF ignores the generic entry during RACINIT processing.
RACF associates PROCI with userid TSOI and group SYSI.