(zos)

Cluster authorizations

This section discusses the kinds of authorization checking WebSphere Application Server for z/OS does for a clusters. Servants must have access to profiles in the RACF SERVER class. This controls whether a servant can call authorized routines in the controller.

The following explains the kinds of authorization checking WebSphere Application Server for z/OS does for clusters.

1. Servants must have access to profiles in the RACF SERVER class. This controls whether a servant can call authorized routines in the controller.

   Controllers do not require such access control. Only authorized programs, loaded from Authorized Program Facility (APF) libraries, run in controllers.

2. Resource managers such as DB2 , IBM Information Management System (IMS™), and Customer Information Control System (CICS ) have implemented their own resource controls, which control the ability of applications to access resources.

   When resource controls are used by DB2, all controllers and servants need to be granted access to the relevant resources. We can grant access using the DSNR RACF class (if we have RACF support) or by issuing the relevant DB2 GRANT statements.

   Access to Open Transaction Manager Access (OTMA) for IMS access is accomplished through the FACILITY Class (IMSXCF.OTMACI). Access to EXCI for CICS is accomplished through the SURROGAT class (*.DFHEXCI).

   We can control access to data sets through the DATASET class and hierarchical file system (HFS) files through file permissions.

Subtopics

• (zos) Server process authorization checking
  We can specify specific access restrictions to z/OS resources.

Related tasks

Use CBIND to control access to clusters

Summary of controls