Customizing the RCFRRSTB Table
The RCFRRSTB table is an assembler source that consists of a sequence of CTSRRSTB macro calls.
-
The first CTSRRSTB macro call is used to define the special dummy user name (described in step 5 in Customization and Operation of Connector for RACF on Non-Managed Nodes) used by to the ALTUSER command that encapsulates the password change event. This dummy user must not be defined in any RACF system. (The dummy user name provided in the sample is: $#@$$@#$)
The first macro call in the RCFRRSTB source is:
RCFRRSTB CTSRRSTB START=YES, CTSDUMY=dummy_username
where
dummy_usernameis a dummy user name (up to 8 characters).Label RCFRRSTB is mandatory and generates the external CSECT table name.
Note
This dummy user name must be specified in member RRSFPARM in the PARM library on all non-managed nodes as the value of parameter DUMMY_USER. See step 5 in Customization and Operation of Connector for RACF on Non-Managed Nodes. -
Subsequent CTSRRSTB macro calls are used to denote the valid combinations of the following:
-
Origin non-managed node
-
RACF user ID associated with the Online Interceptor started task on the non-managed node.
-
Local RACF user (on the target managed node) to which the encapsulating RACF command is directed.
Note
User ID association between the RACF user ID on the non-managed node and the RACF user on the managed node must be defined using the RACLINK command. For more information, see step 3 in Customization and Operation of Connector for RACF on Non-Managed Nodes. -
The valid combinations of origin user, origin node, and local user are listed in RCFRRSTB assembler source as a sequence of entries, using the following syntax:
CTSRRSTB SRCUSER=source_user,SRCNODE=source_node,LCLUSER=local_user
where:
-
source_user– name of a RACF user on the non-managed node (up to 8 characters) -
source_node– name of a non-managed node (up to 8 characters) -
local_user– name of a local RACF user on the managed node (up to 8 characters)
Each such entry instructs the CTSEVX01 module to accept user-initiated password change events from the Connector Online Interceptor that are:
-
running under the specified RACF user (source_user)
-
on the specified non-managed node (source_node)
These should be processed by the local exit running with the specified local_user ACEE (RACF user security block).
In each CTSRRSTB entry, the granularity of the security specification is determined by the fields SRCUSER, SRCNODE and LCLUSER.
You can lower and simplify the granularity by modifying the specification to one of the following:
-
SRCUSER and SRCNODE. The field LCLUSER defaults to * (any LCLUSER)
-
SRCUSER. The fields SRCNODE and LCLUSER defaults to * (any SRCNODE and LCLUSER)
-
No field (the entry is specified as the CTSRRSTB macro call without operands). All three fields default to
*(any SRCUSER, any SRCNODE and any LCLUSER).
Note
This entry is contained in the RCFRRSTB table in the provided sample. See the sample table provided below. If the entire RCFRRSTB table source contains entries with multiple granularities, only those entries with the highest granularity (greatest number of fields) are considered for matching by the CTSEVX01 module at run time.
Sample RCFRRSTB Table source
This section lists member RCFRRSTB in the INSTALL library that contains Connector for RACF. This is an example of a full RCFRRSTB specification, including a leading (header) CTSRRSTB macro call, one CTSRRSRB security entry, and a trailer (last) CTSRRSTB macro call.
*
PRINT GEN
RCFRRSTB CTSRRSTB START=YES,CTSDUMY=$#@$$@#$
*>>ABOVE RCFRRSTB LABEL IS MANDATORY AND GENERATES CSECT NAME
CTSRRSTB
*>>ABOVE CTSRRSTB ENTRY DEFAULTS TO FOLLOWING:
*>> CTSRRSTB SRCUSER=*,SRCNODE=*,LCLUSER=* ('*' DENOTES ANY)
CTSRRSTB END=YES
END