This section provides some illustrations of FACILITY class definitions,
with two examples of different access levels for two different groups.
The examples are based on a CICS region with applid CICSPROD, and
you need to permit two groups of user different levels of access to
objects in the CICS region control file.
- Example 1: The first group of users is the
application development group of users, who are defined in the RACF
group APPLDEV. This group is to be permitted to create, view, update,
and delete any object for CICSPROD. However, they are not to be allowed
to execute the objects through the batch request utility.
- Example 2: The second group of users is
the production operations staff, who are in the RACF group PRODOPS.
This group is to be permitted to view and execute any of the objects
for CICSPROD, but they are not to be permitted to create, edit, or
delete them.
The first step, for both examples, is to disallow all accesses
within CICSPROD as a default by issuing the following RACF RDEFINE
command:
RDEFINE FACILITY $CBK.CICSPROD.** UACC(NONE)
With all access to CICSPROD resources denied by default, you can
enable the APPLDEV group requirements.
RDEFINE FACILITY $CBK.CICSPROD.ADMIN.** UACC(NONE)
This profile is specific to the ADMIN object type and takes precedence
over the generic CICSPROD profile defined above. Using this profile
you can grant the access required by the APPLDEV group using the following
command.
PERMIT $CBK.CICSPROD.ADMIN.** CLASS(FACILITY) ID(APPLDEV) UACC(UPDATE)