Access control setup for SAF protected VTS

The access control for an SAF protected VTS is set up using the security tool used by your installation.

When RACF_VTS is set to Y for a VTS, tableBASE will perform checks on the user’s profile before allowing access to the VTS. This access is authorized by tableBASE based on a resource profile in the Facility Class.

The format of the resource profile used for authorization by tableBASE is:

  • DK1.VTS.lparname.vtsname where lparname is the name of the LPAR and vtsname is the name of the VTS-TSR.

The resource profile for the VTS can also fall under a generic profile in the Facility Class. If there is no resource profile in the Facility Class that the VTS falls under, the default for the class will be used; this is normally NONE which means no access to the VTS will be allowed by any user.

Access levels

When a user is granted access to a SAF protected VTS, it is the userid used to submit a batch job or to start up a region (CICS, IMS or DB2 SPAS) that is verified for sufficient authorization to access the VTS-TSR. For CICS, IMS and DB2 SPAS regions, any userid permitted to access the region, and while executing in the region, inherits the same access levels to the VTS as the user that started up the region.

Table 25 shows the type of access allowed for each access level granted on a SAF protected VTS-TSR.

Table 25. SAF protected VTS Access Levels and Permissions

Access Level

Access Allowed on a SAF Protected VTS


Start up, shut down VTS; all tableBASE command groups (a, b and c) – update, read and none.


All tableBASE command groups (a, b and c) – update, read and none.


tableBASE command groups b and c – read and none.


tableBASE command group c – none.