When installing openFT it is important to note the following points concerning privileges:
If the product RACF (or compatible product) is installed in the system, the OPENFT load module must be stored in a library which is subject to APF authorization, since it accesses privileged RACF macros (see the section “Linking openFT with data protection products”). In addition, the OPENFT load module must possess the linkage editor attribute "AC(1)". The OPENFT load module supplied already has this attribute.
openFT must also have APF authorization in order to perform the following functions:
transfer a complete PO or PDSE data set
charge file transfer requests (write account records to the SMF file)
output asynchronous messages after termination of a transfer request to the TSO user whose user ID was specified in the TRANSFER-ADMISSION of the system involved and/or to one or several consoles.
In addition to the library containing the OPENFT load module, the other libraries of the library hierarchy STEPLIB, TASKLIB, JOBLIB ... APF must also be authorized, i.e.:
the library containing openFT as a subsystem, known as the LPALIB
the library containing the OPENFTCR load module (see section “Installation of the openFT-CR delivery unit”)
Since openFT uses socket calls to establish TCP/IP connections, the user ID under which openFT runs (as a job or as a started task, see openFT as a job or started task) also needs an OMVS segment (OMVS: OpenEdition MVS). No special privileges are needed, i.e. any UID (OMVS user ID) can be used. The user ID must belong to a group for which a GID (OMVS group ID) has been defined. The GID is defined with RACF; see also IBM manual "OpenEdition Planning", chapter "Controlling OpenEdition Security".
If the file SYS1.UADS is installed in the system and is to be used by openFT, the user ID under which openFT is running (as a job or started task, see openFT as a job or started task) must be granted read access to this file.
In an z/OS system with RACF (Resource Access Control Facility), the user ID under which openFT is running must also be authorized to access the files and volumes of all openFT users if these are protected by RACF. In particular it must be granted:
read access (READ) to send files
write access (ALTER) to receive files
The z/OS administrator can assign specific access rights to these files and to the associated data volumes. However, it is considerably easier to assign the RACF attribute OPERATIONS to the user ID under which openFT is running. If this approach is taken, it is advisable to not to assign any TSO authorization to this user ID for reasons of data security. Even if the user ID under which openFT is running possesses the RACF OPERATIONS attribute and is therefore able to access all the files in the system, there is no danger of FT user transfer requests infringing on data security, since openFT verifies the validity of all the data access attempts that occur during file transfer (see section “Linking openFT with data protection products”).
The same rules apply to products compatible with RACF. For further information please refer to the product-specific manuals.