This section discusses the kinds of authorization checking WebSphere® Application Server for z/OS® does for a clusters. Servants must have access to profiles in the RACF® SERVER class. This controls whether a servant can call authorized routines in the controller.
Controllers do not require such access control. Only authorized programs, loaded from Authorized Program Facility (APF) libraries, run in controllers.
When resource controls are used by DB2, all controllers and servants need to be granted access to the relevant resources. You can grant access by using the DSNR RACF class (if you have RACF support) or by issuing the relevant DB2 GRANT statements.
Access to Open Transaction Manager Access (OTMA) for IMS access is accomplished through the FACILITY Class (IMSXCF.OTMACI). Access to EXCI for CICS is accomplished through the SURROGAT class (*.DFHEXCI).
You can control access to data sets through the DATASET class and hierarchical file system (HFS) files through file permissions.