IBM Enhanced Access Control for Software Configuration and Library Manager (SCLM) for z/OS™ provides additional control over access to SCLM managed libraries.
Improves access control of your SCLM resources
Enhanced Access Control for SCLM augments RACF® controls. After normal RACF security controls are applied, Enhanced Access Control for SCLM can be used to grant access when a specific set of applications like SCLM are used. The applications can even define various sub functions of SCLM, for example, an SCLM Promote may be allowed access whereas an SCLM Edit may be denied access.
Without Enhanced Access Control for SCLM, SCLM users operating in a RACF environment must be granted UPDATE access to manipulate SCLM managed data sets. Otherwise, they would receive RACF "data set violations" when performing various SCLM functions. However, the UPDATE access applies even if the data set is accessed using facilities other than SCLM, thus allowing access to potential users from facilities other than SCLM.
Prevents unintended changes to SCLM managed data sets
The central concept of Enhanced Access Control for SCLM is that access to SCLM resources is provided when SCLM programs are used. This avoids the potential for unexpected changes to SCLM data sets resulting from updates using non-SCLM programs. The SCLM programs are described using applications. The data sets to be controlled and their access rules are described using Profiles.
Offers additional levels of access control
Currently, access to SCLM controlled data is restricted based on RACF® or other security package and is done on a data set basis. Enhanced Access Control for SCLM works with IBM RACF to allow you to further restrict access to SCLM data so that it can only be accessed using the SCLM Family of products. It will also allow you to restrict access from within the SCLM Family based on function, so that you can decide which users should have access to which SCLM functions.
When Enhanced Access Control for SCLM is active, it monitors RACF data set violations. If a violation occurs for a data set managed according to the Enhanced Access Control for SCLM profiles, then the defined access rules are used to assign access privileges. If sufficient access privilege is not defined, then a RACF "data set violation" occurs.
Like RACF, Enhanced Access Control for SCLM has its own rules database that describes the conditions under which access is granted. These are contained in the Rule File, a VSAM KSDS that is administered via the ISPF Dialog. From these online panels, the Enhanced Access Control for SCLM administrator can:
- Define the data sets or generic RACF data set Profiles to be controlled
- Define SCLM and its sub functions as Applications
- Define the users granted access privileges to a Profile via an Application
- View violation records collected by Enhanced Access Control for SCLM.
