Here it is what IBM's SDSF documentation states:
***** start of IBM doc *****
You can also use SAF to control membership in groups defined with ISFPARMS.
To do this:
- Assign a name to each group, as follows:
~ With an ISFGRP macro, using the macro label. The label must start in column 1 and be 1-8 characters. It must conform to standard assembler language programming conventions and be unique within ISFPARMS.
~ With a GROUP statement, using the NAME parameter.
- Define SAF profiles GROUP .group-name.server-name, in the SDSF class, and permit users to them as appropriate.
***** end of IBM doc *****
The details of memberships can be summarized as follows:
|Membership in Group||GROUP.group-name.server-name||SDSF||READ|
If the SDSF client is not connected to the SDSF server, the server-name is blank.
Then, as shown in this table, it is translated to RACF as follows:
To authorize membership in a group in ISFPARMS, issue the following commands:
RDEFINE SDSF GROUP.group-name.server-name UACC(NONE)
PERMIT GROUP.group-name.server-name CLASS(SDSF) ID(userid or groupid)
Converted to a CA Top Secret TSS command:
TSS ADD(owningacid) SDSF(GROUP.)
TSS PER(aciduser or acidprofile) SDSF(GROUP.group-name.server-name) -
Please refer to:
- Appendix C. SDSF resource names for SAF security in IBM SDSF Operation and Customization Guide.
- SDSF is a pre-defined CA Top Secret resource class name in the RDT and is documented in the CA Top Secret Commmand Functions Guide