How is the CA SAF HFS security for the USS Hierarchical File System activated?

Document ID : KB000026653
Last Modified Date : 14/02/2018
Show Technical Document Details

Question:  

How is the CA SAF HFS security for the USS Hierarchical File System activated?

Answer: 

A site has two options to secure the Hierarchical File System (HFS):

  1. The internal to z/OS UNIX System Services which is based on a UNIX model of security through the use of UID, GID and permission bits.

  2. With the CA SAF HFS security the standard CA-ACF2 for z/OS security resource rules are used to secure the HFS. Native UNIX file permission bit security is bypassed, as well as the superuser authority to access any file.

CA SAF HFS security can be activated automatically during ACF2 initialization or dynamically just for the current duration of the IPL.

The GSO UNIXOPTS HFSSEC|NOHFSSEC controls the start of CA SAF HFS security during ACF2 initialization by default. When the GSO UNIXOPTS is set to HFSSEC, CA SAF HFS security will be active. The TSO, ACF command "SHOW UNIXOPTS" will display "HFS SECURITY ACTIVE: YES".

To dynamically activate CA SAF HFS security there are two methods.

Both of these methods will activate the CA SAF HFS security only for the duration of the current IPL. To activate CA SAF HFS security automatically at each IPL the GSO UNIXOPTS HFSSEC|NOHFSSEC can be used.

  1. Issue the modify ACF2 operator command: F ACF2,HFS(ENABLE)

    The syntax of the operator command is F ACF2,HFS(STATUS|ENABLE|DISABLE)

    The command may be used to enable, disable and check the status of CA SAF HFS Security. Further information on this command can be found in the Systems Programmer's Guide.

  2. Run the batch SAFHFMOD utility which allows authorized users to display the status of and to enable or disable CA SAF HFS security.

    Sample JCL follows:

    //jobname JOB CLASS=a
    //stepname EXEC PGM=SAFHFMOD,PARM=function


    Where function can be ENABLE, DISABLE or STATUS to enable, disable and check the status of CA SAF HFS Security. Further information on this utility can be found in the Administrator Guide in section "CA SAF HFS Security Modification Utility".

Additional Information:

 

Details onactivating CA SAF HFS Security can be found in the CA ACF2 for z/OS Administration Guide in Chapter 23: Controlling Access to the Hierarchical File System section 'Implementing CA SAF HFS Security'.