CA-Spool and external security with CA-ACF2

Document ID : KB000055576
Last Modified Date : 14/02/2018
Show Technical Document Details

Problem Description

I need to define a default group and or default printer for my users when using external security CA-ACF2.

Reason

How do I define a users default group or printer when using external security CA-ACF2?

Action

CA-ACF2 does not support the extraction of default group information stored in the INSTDATA fields of the USER segment. By default, CA-Spool issues a RACROUTE call to external security packages that returns the INSTDATA fields of the user segment. The default group is extracted from the data stored there. The use of INSTDATA is not supported under ACF2 at this time.

It is suggested that the definitions for ESFDGRP or ESFDPRT are controlled using INTERNAL SAF control. All other functions can be controlled using external SAF requests via pseudo dataset validations.

There is a CA-ACF2 enhancement request open at this time requesting support of the extraction of INSTDATA fields via RACROUTE request.

Below are a few samples of how to define and control ESFDGRP or ESFDPRT with internal SAF. You can specify both on the same SAFUID statement and there is no default for either parameter if not specified.

Sample 1 for ESFDGRP definition:
SAFUID USRABC,DGROUP=1

Sample 2 for ESFDPRT definition:
SAFUID USREFG,DPRINTER=HPPRT

Sample 3 for ESFDGRP and ESFDPRT definition:
SAFUID USRJKL,DGROUP=2,DPRINTER=PRTR9

The other required change is to specify INT,EXT on your SAFDEF statement and your SAFTYPE statements, except for SAFTYPE 10 and 11 should always specify NOINT,NOEXT no matter if you use Internal or External or both for security.