– The first check uses the client ACEE. This is the ACEE that is associated
with the current task. If the request is successful, the second check is
performed.
– The second check uses the ACEE associated with the server. This is the
same ACEE that is associated with the address space.
When each of these checks occurs, the RACF exits ICHRCX01 and ICHRCX02
are invoked.
Authenticated client ACEE
When an authenticated client ACEE is used in an access control decision, only
this ACEE is used in the access control decision. Audit records recorded
contain an additional relocate section indicating that this authorization request
was processed using an ACEE created on behalf of an unauthorized
application.
IRRSXT00 Installation Exit
IRRSXT00 is invoked by the SAF callable services router before and after RACF is
called. If your system already uses the IRRSXT00 installation exit, you should
review this exit to be sure the following are true for the R_dceinfo and R_dceruid
callable services:
IRRSXT00 is capable of executing in either problem or supervisor state.
IRRSXT00 does not expect to receive control in a system storage protection
key (0-7).
RACROUTE REQUEST=DEFINE Preprocessing Exit (ICHRDX01)
Processing of a RETPD value specified via the RACROUTE REQUEST=DEFINE
preprocessing exit has changed. Formerly, a RETPD value specified in an
ICHRDX01 exit was not recorded in the profile when a generic profile was being
defined, unless RETPD was also specified via command. Now, a RETPD value
specified in an ICHRDX01 exit is picked up. If you do not want the value to be
picked up when creating a generic profile, you should modify your exit to set the
RETPD value only when processing a tape profile.
36 OS/390 V1R2.0 Security Server (RACF) Planning: Installation and Migration