The SAFDEF= and MODE= line of the SECTRACE output identify the SAFDEF that was used to process the RACROUTE call and the mode you want CA ACF2 to use to process this SAF request.
The following is a sample trace record from a SECTRACE:
SMFID= SYS1 TOD= 12:03:41.80 TRACEID= TEST USERID= DUMPSRVJOBNAME= DUMPSRV ASID= 0005 PGM= IEECB926 CURR RB= SVC099SFR/RFR= 0/20:16 MODE= TASK APF= AUTHORIZED LOCKS= NONE SAFDEF= GENAUTH INTERNAL MODE= GLOBAL RACROUTE REQUEST=AUTH,CLASS='@MAJOPTS',RELEASE=1.9,STATUS=ACCESS, ATTR=READ,DSTYPE=N,ENTITYX=('USER.SYS1.IGGPOST0.DEFAULTS'), FILESEQ=0,GENERIC=ASIS,LOG=ASIS,MSGSP=0,MSGSUPP=YES, TAPELBL=STD,WORKA=
The "SAFDEF= GENAUTH INTERNAL" identifies the SAFDEF record that CA ACF2 matched on. The "SAFDEF=" field will display the ID of the SAFDEF used and either GSO or INTERNAL. "INTERNAL" indicates the SAFDEF is defined internally by ACF2. "GSO" indicates that the SAFDEF is site defined by a GSO SAFDEF record. In this example GENAUTH is the ID of a SAFDEF that was defined internally by ACF2.
The "MODE=" specifies the mode that CA ACF2 will use to process this RACROUTE request. The MODE will be one of the following:
MODE DescriptionIGNORE Bypass processing this SAF requestGLOBAL Process this SAF request with the mode specified in the GSO OPTS record. For generalized resource validations,
use the CA ACF2 SVCA recommendation to allow or deny the SAF request.LOG Process this REQUEST=AUTH call in LOG mode. Upon return of the validation call, allow access even
if access is denied. LOG does not force logging if a logonid is allowed access.QUIET Process this REQUEST=AUTH call in QUIET mode. The SHOW SAFDEF and SHOW ALL subcommands will display all SAFDEFs that are actively being used by the system. For example: ACFSHOW SAFDEF -- SYSTEM AUTHORIZATION FACILITY DEFINITIONS -- DSNJCLJ2 JOBNAME=******** USERID=******** PROGRAM=HOSCNVT RB=SVC019 RETCODE=4 SAFDEF=INTERNAL MODE=GLOBAL SUBSYS=ACF2 FUNCRET=4 FUNCRSN=0 RACROUTE REQUEST=AUTH,CLASS='DATASET' DSNJCLJ3 JOBNAME=******** USERID=******** PROGRAM=IATIIST RB=SVC019 RETCODE=4 SAFDEF=INTERNAL MODE=GLOBAL SUBSYS=ACF2 FUNCRET=4 FUNCRSN=0 RACROUTE REQUEST=AUTH,CLASS='DATASET'
. . . . . .
All of the GSO defined SAFDEF can be listed using the TSO ACF command processor. For example:
ACFLIST LIKE(SAFDEF-) SYS1 / SAFDEF.ABC LAST CHANGED BY USER002 ON 24/11/08-11:28 FUNCRET(4) FUNCRSN(0) ID(TESTABC) MODE(GLOBAL) RACROUTE(REQUEST=AUTH CLASS=FACILITY ENTITYX=BPX.DAEMON,PRIVATE) RETCODE(4) SYS1 / SAFDEF.ABCD LAST CHANGED BY USER001 ON 15/04/04-09:16 FUNCRET(4) FUNCRSN(0) ID(TESTABC) MODE(GLOBAL) RACROUTE(REQUEST=AUTH CLASS=FACILITY ENTITYX=(BPX.DAEMON,PRIVATE)) RETCODE(4) . . . . . .
Details on the SECTRACE command can be found in the CA-ACF2 Security for z/OS System Programmer Guide, in Chapter 6: Special Usage Consideration, section "Tracing SAF Requests".
Details on the GSO SAFDEF record can be found in the CA-ACF2 Security for z/OS Administrator Guide, Chapter 14: Maintaining Global System Options Records, section "Environments for SAF Calls (SAFDEF)".