A refresh command from TSO (SDSF) works with out any problems.
Invoking the same command under CA-Remote Console the following error is observed even though REFRESH privileges are activated.
- SYSNAME RESPONSE --------------------------------------------
- ACF79343 OPERATOR FUNCTION: AUTHORIZATION FAILURE
The following defines the requirements for using CA-Remote Console in an external security environment protected by CA-ACF2. CA-Remote Console must be defined to CA-ACF2 security system in order to run as a started task. The related CA-Remote Console initialization parameters are:
secclass is the 8 byte class name to be specified for the resource keyword on the GSO CLASMAP record. secresource represents an 8 byte resource name that is specified on the $KEY statement in an CA-ACF2 resource rule.
Specify RCSINIT SECURITY=ACF2 if you want CA-ACF2 to secure the logon to CA-Remote Console. To use CA-ACF2 as the logon verification mechanism, you must define CA-Remote Console as a MUSASS to ACF2 using the following CA-ACF2 commands
INSERT REMCONS STC MUSASS
Note: The above example assumes REMCONS is the started task name of CA-Remote Console
If you set the RCSINIT SECURITY= to RCS, USER or NONE, then the CA-REMOTE CONSOLE started task does not need the MUSASS privilege. In this case the CA-ACF2 INSERT command would be modified to the following:
INSERT REMCONS STC
SECCLASS and SECRESOURCE
Use of the RCSINIT SECCLASS and SECRESOURCE parameters is optional. These parameters allow you to control which users are permitted to log on to CA-REMOTE Console. You can activate logon checking by adding the values in CA-Remote Console that are similar to the following:
To define this resource to eTrust CA-ACF2, create the following CLASMAP record:
INSERT CLASMAP.RCS RESOURCE(REMCONS) TYPE(RCS) ENTITYLN(8)
Once this is in place, create the following CA-ACF2 resource rule to allow selected users or groups of users access to CA-Remote Console
OPERATOR COMMAND VALIDATION
If you validate operator commands (OPERCMDS) or have an automation package such as CA-OPSMVS-II, you should set RCSINIT SECTOKEN to a value of YES. This setting causes CA-Remote Console to propagate the userid to CA-ACF2 and the automation package each time that a user issues a command through CA-Remote Console. When SECTOKEN=NO is set, the userid information is not passed resulting in the commands being validated under the CA-Remote Console stated task logonid.
If you currently use the GROUP field of the LOGONID record in CA-ACF2, CA-Remote Console will copy this value at logon time. You can then use the CA-Remote Console ACCOUNT command to specify characteristics of the GROUP names copied from the CA-ACF2 logonid. You can display the GROUP names of logged on CA-Remote Console users by issuing the RDISPLAY SESS,ALL command from within a CA-Remote Console session. An example of this output is presented below:
- RCS5660 SESSION SUMMARY 148 DATA LINE 1 OF 3
- LOGONID TERMID LOGON AUTH GROUP STATUS
- LUTDA01 A55TU009 SYS AUTM INHIBITED,COLOR
- KELGR01 A55TU062 SYS MGMT COLOR
Review Appendix E, of the RCS User Guide that has the recommended ACF2 setup.