Examples of FACILITY class definitions

This section provides some illustrations of FACILITY class definitions, with two examples of different access levels for two different groups. The examples are based on a CICS region with applid CICSPROD, and you need to permit two groups of user different levels of access to objects in the CICS region control file.
  • Example 1: The first group of users is the application development group of users, who are defined in the RACF group APPLDEV. This group is to be permitted to create, view, update, and delete any object for CICSPROD. However, they are not to be allowed to execute the objects through the batch request utility.
  • Example 2: The second group of users is the production operations staff, who are in the RACF group PRODOPS. This group is to be permitted to view and execute any of the objects for CICSPROD, but they are not to be permitted to create, edit, or delete them.

The first step, for both examples, is to disallow all accesses within CICSPROD as a default by issuing the following RACF RDEFINE command:

RDEFINE FACILITY $CBK.CICSPROD.** UACC(NONE)

With all access to CICSPROD resources denied by default, you can enable the APPLDEV group requirements.

RDEFINE FACILITY $CBK.CICSPROD.ADMIN.** UACC(NONE)

This profile is specific to the ADMIN object type and takes precedence over the generic CICSPROD profile defined above. Using this profile you can grant the access required by the APPLDEV group using the following command.

PERMIT $CBK.CICSPROD.ADMIN.** CLASS(FACILITY) ID(APPLDEV) UACC(UPDATE)