I am looking at SECTRACE output and wanted to know what the "SAFDEF= GENAUTH INTERNAL MODE= GLOBAL" means?

Document ID : KB000053671
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

The SAFDEF= and MODE= line of the SECTRACE output identify the SAFDEF that was used to process the RACROUTE call and the mode you want CA ACF2 to use to process this SAF request.

Solution:

The following is a sample trace record from a SECTRACE:

SMFID= SYS1         TOD= 12:03:41.80    TRACEID= TEST       USERID= DUMPSRVJOBNAME= DUMPSRV    ASID= 0005          PGM= IEECB926       CURR RB= SVC099SFR/RFR= 0/20:16    MODE= TASK          APF= AUTHORIZED     LOCKS= NONE SAFDEF= GENAUTH  INTERNAL MODE= GLOBAL  RACROUTE REQUEST=AUTH,CLASS='@MAJOPTS',RELEASE=1.9,STATUS=ACCESS,          ATTR=READ,DSTYPE=N,ENTITYX=('USER.SYS1.IGGPOST0.DEFAULTS'),          FILESEQ=0,GENERIC=ASIS,LOG=ASIS,MSGSP=0,MSGSUPP=YES,          TAPELBL=STD,WORKA= 

The "SAFDEF= GENAUTH INTERNAL" identifies the SAFDEF record that CA ACF2 matched on. The "SAFDEF=" field will display the ID of the SAFDEF used and either GSO or INTERNAL. "INTERNAL" indicates the SAFDEF is defined internally by ACF2. "GSO" indicates that the SAFDEF is site defined by a GSO SAFDEF record. In this example GENAUTH is the ID of a SAFDEF that was defined internally by ACF2.

The "MODE=" specifies the mode that CA ACF2 will use to process this RACROUTE request. The MODE will be one of the following:

MODE     DescriptionIGNORE   Bypass processing this SAF requestGLOBAL   Process this SAF request with the mode specified in the GSO OPTS record. For generalized resource validations, 
use the CA ACF2 SVCA recommendation to allow or deny the SAF request.LOG Process this REQUEST=AUTH call in LOG mode. Upon return of the validation call, allow access even
if access is denied. LOG does not force logging if a logonid is allowed access.QUIET Process this REQUEST=AUTH call in QUIET mode. The SHOW SAFDEF and SHOW ALL subcommands will display all SAFDEFs that are actively being used by the system. For example: ACFSHOW SAFDEF -- SYSTEM AUTHORIZATION FACILITY DEFINITIONS -- DSNJCLJ2 JOBNAME=******** USERID=******** PROGRAM=HOSCNVT RB=SVC019 RETCODE=4 SAFDEF=INTERNAL MODE=GLOBAL SUBSYS=ACF2 FUNCRET=4 FUNCRSN=0 RACROUTE REQUEST=AUTH,CLASS='DATASET' DSNJCLJ3 JOBNAME=******** USERID=******** PROGRAM=IATIIST RB=SVC019 RETCODE=4 SAFDEF=INTERNAL MODE=GLOBAL SUBSYS=ACF2 FUNCRET=4 FUNCRSN=0 RACROUTE REQUEST=AUTH,CLASS='DATASET'
. . . . . .

All of the GSO defined SAFDEF can be listed using the TSO ACF command processor. For example:

ACFLIST LIKE(SAFDEF-)  SYS1 / SAFDEF.ABC LAST CHANGED BY USER002 ON 24/11/08-11:28  		    FUNCRET(4) FUNCRSN(0) ID(TESTABC) MODE(GLOBAL) 		    RACROUTE(REQUEST=AUTH CLASS=FACILITY                       ENTITYX=BPX.DAEMON,PRIVATE) RETCODE(4)   SYS1 / SAFDEF.ABCD LAST CHANGED BY USER001 ON 15/04/04-09:16 		    FUNCRET(4) FUNCRSN(0) ID(TESTABC) MODE(GLOBAL)		    RACROUTE(REQUEST=AUTH CLASS=FACILITY		    ENTITYX=(BPX.DAEMON,PRIVATE)) RETCODE(4) . . .   . . .

Details on the SECTRACE command can be found in the CA-ACF2 Security for z/OS System Programmer Guide, in Chapter 6: Special Usage Consideration, section "Tracing SAF Requests".

Details on the GSO SAFDEF record can be found in the CA-ACF2 Security for z/OS Administrator Guide, Chapter 14: Maintaining Global System Options Records, section "Environments for SAF Calls (SAFDEF)".