How To Use SAF To Control SDSF Group Membership With Top-Secret?

Document ID : KB000053383
Last Modified Date : 14/02/2018
Show Technical Document Details


Here it is what IBM's SDSF documentation states:

***** start of IBM doc *****

You can also use SAF to control membership in groups defined with ISFPARMS.
To do this:

  1. Assign a name to each group, as follows:
    ~ With an ISFGRP macro, using the macro label. The label must start in column 1 and be 1-8 characters. It must conform to standard assembler language programming conventions and be unique within ISFPARMS.
    ~ With a GROUP statement, using the NAME parameter.

  2. Define SAF profiles GROUP .group-name.server-name, in the SDSF class, and permit users to them as appropriate.
    ***** end of IBM doc *****


The details of memberships can be summarized as follows:

FunctionResource NameClassAccess
Membership in


If the SDSF client is not connected to the SDSF server, the server-name is blank.

Then, as shown in this table, it is translated to RACF as follows:


To authorize membership in a group in ISFPARMS, issue the following commands:

 PERMIT CLASS(SDSF) ID(userid or  groupid) 

Converted to a CA Top Secret TSS command:

TSS  ADD(owningacid)  SDSF(GROUP.)
TSS PER(aciduser or acidprofile) SDSF( -

Please refer to:

  • Appendix C. SDSF resource names for SAF security in IBM SDSF Operation and Customization Guide.

  • SDSF is a pre-defined CA Top Secret resource class name in the RDT and is documented in the CA Top Secret Commmand Functions Guide