How do I setup CA-ACF2 security for use with CA-SMF Director?

Document ID : KB000026453
Last Modified Date : 14/02/2018
Show Technical Document Details

Issue:

How do I setup CA-ACF2 security for use with CA-SMF Director?

 

Description:

The CA-SMF Director System Programmer Guide says to see the ACF2 Administrator Guide for help on setting up security for this product.   Can you give details on what is needed?

Solution:

According to the CA-SMF Director System Programmer Guide, the following resources are protected

The Resource name...            Performs the function...
PRM.BACKUP                      Backup of the SCDS file.
PRM.RESTORE                     Restore of the SCDS file.
PRM.INIT                        SCDS Initialization.
PRM.DUMP                        Dumping of the SMF files.
CMD.xxxxxx                      ...of the indicated command statement where xxxxxx is
                                one of the following: ADDX, BEGIN, CHECKIT,
                                COMPILE, DELETEX, DUMPOPTIONS, DUMPTAPES,
                                DUMP, EXTRACT, END, LISTC, LISTH, OPTIONS,
                                SOURCE, SPLIT, TAPEINIT, or UPDTX.

A GSO SAFDEF record is not needed. CA-ACF2 protects by default. If there is no rule allowing access, the user will be denied.
A GSO CLASMAP record is required to define the resource class. The type code used is not a requirement, but can be changed per your shop standards. The GSO CLASMAP defines the maximum length of the entity as 20 bytes.
To insert the GSO CLASMAP record, enter the following sample commands.

TSO ACF
SET CONTROL(GSO)
INSERT CLASMAP.SMF ENTITYLN(20) RESOURCE(CA$MSMF) RSRCTYPE(CA$)
F ACF2,REFRESH(CLASMAP)

As for the resource rules, for example, they may look like this:
This rule will allow the CASFDUMP started task to use the BACKUP, RESTORE, INIT and DUMP PARMS in the JCL. No other userid is allowed to use these parameters.

$KEY(PRM) TYPE(CA$)
BACKUP UID(uid string of the CASFDUMP STC) ALLOW
BACKUP UID(....
RESTORE UID(uid string of the CASFDUMP STC) ALLOW
RESTORE UID(....
INIT UID(uid string of the CASFDUMP STC) ALLOW
INIT UID(....
DUMP UID(uid string of the CASFDUMP STC) ALLOW
DUMP UID(....

This rule will allow the CASFDUMP started task to issue the DUMP command from within the job SYSIN. No other USERID can issue any commands from within SYSIN except USER01 who can issue the ADDX command from within SYSIN.

$KEY(CMD) TYPE(CA$)
ADDX UID(USER01) ALLOW
BEGIN UID(*)
CHECKIT UID(*)
COMPILE UID(*)
DELETEX UID(*)
DUMPOPTIONS UID(*)
DUMPTAPES UID(*)
DUMP UID(uid string of the CASFDUMP STC) ALLOW
DUMP UID(*)
EXTRACT UID(*)
END UID(*)
LISTC UID(*)
LISTH UID(*)
OPTIONS UID(*)
SOURCE UID(*)
SPLIT UID(*)
TAPEINIT UID(*)
UPDTX UID(*)

Additionally, Service levels of READ or UPDATE can be added. For example:

$KEY(PRM) TYPE(CA$)
BACKUP UID(uid string of the CASFDUMP STC) ALLOW
BACKUP UID(-) SERVICE(READ) ALLOW