Grant user access to a profile in the RDATALIB

This section outlines the necessary steps for configuring a secure host session connection, particularly when utilizing SAF (System Authorization Facility) keyrings for authentication, which is often required for features such as Web Express Logon.

These are recommended steps; consult your administrator to validate them in your environment.

1. Define function profiles.

   Create the profile to prevent users to list the keyring and its content by default.

   RDEFINE RDATALIB IRR.RDATALIB.LISTRING.ACCESS UACC(NONE)

   Create the profile to prevent users to access to the certificates and keyring resources by default.

   RDEFINE RDATALIB IRR.RDATALIB.CONNECT UACC(NONE)

2. Grants user specified by USERID READ/UPDATE access to a specific key ring resource.

   PERMIT IRR.RDATALIB.LISTRING.ACCESS CLASS(RDATALIB) ID(USERID) ACCESS(READ)

   PERMIT IRR.RDATALIB.CONNECT CLASS(RDATALIB) ID(USERID) ACCESS(READ)

   PERMIT KEYRINGOWNER.KEYRINGNAME.LST CLASS(RDATALIB) ID(USERID) ACCESS(READ)

   READ access does NOT allow extraction or use of private keys from PERSONAL certificates when the accessing user ID is different from the KEYRINGOWNER. If required, use UPDATE for client authentication and private key retrieval.

   Note:

   Even though KEYRINGOWNER owns the KEYRINGNAME, RACF may deny the access unless explicitly permitted. So, it is recommended to execute these commands even though KEYRINGOWNER is same as the USERID.

3. Activate and refresh the RDATALIB class

   SETROPTS CLASSACT(RDATALIB) RACLIST(RDATALIB) SETROPTS RACLIST(RDATALIB) REFRESH