I am trying to setup ACF2 security for IBM Operational Decision Manager, are there ACF2 commands equivalent to the RACF setup commands?

Document ID : KB000014365
Last Modified Date : 14/02/2018
Show Technical Document Details
Question:

I am trying to setup ACF2 security for IBM Operational Decision Manager, are there ACF2 commands equivalent to the RACF setup commands?

Answer:

The ACF2 equivalent CLASMAP, SAFDEF and Resource Rules for IBM Operational Decision Manager follow. The example maps the resource classes HBRADMIN, HBRCONN and HBRCMD to resource TYPE codes HAD, HCO and HCM respectively. These TYPE codes can be changed to appropriate three character TYPE codes that meet your site's requirements. Sample Resource rules for IBM Operational Decision Manager are included as well.

In the examples below <HBRSSID_NAME> corresponds to a subsystem ID in the server group that is specified by the ++HBRSSIDLIST++ JCL variable. To manage command security for multiple servers or for the entire server group, specify a wildcard as the subsystem ID(ie. SY**).

Use the following ACF2 commands:

ACF
SET CONTROL(GSO)
INSERT CLASMAP.HBRADMIN RESOURCE(HBRADMIN) RSRCTYPE(HAD) ENTITYLN(64) POSIT(128)
INSERT CLASMAP.HBRCONN RESOURCE(HBRCONN) RSRCTYPE(HCO) ENTITYLN(64) POSIT(128)
INSERT CLASMAP.HBRCMD RESOURCE(HBRCMD) RSRCTYPE(HCM) ENTITYLN(64) POSIT(128)
F ACF2,REFRESH(CLASMAP)

Resource Class HBRADMIN
Controls whether server security and security for specific server resources are enabled or disabled.
Resource Class HBRADMIN Resource Profiles:

<HBRSSID_NAME>.ROLE.RESMON
<HBRSSID_NAME>.ROLE.RESDEP
<HBRSSID_NAME>.ROLE.RESADMIN

ACF
SET RESOURCE(HAD)
RECKEY <HBRSSID_NAME> ADD( ROLE.RESMON UID( User UID string) SERVICE(UPDATE) ALLOW)
RECKEY <HBRSSID_NAME> ADD( ROLE.RESDEP UID( User UID string) SERVICE(UPDATE) ALLOW)
RECKEY <HBRSSID_NAME> ADD( ROLE.RESADMIN UID( User UID string) SERVICE(UPDATE) ALLOW)

Resource Class HBRCONN
Specifies the logonids that are authorized to connect to the zRule Execution Server for z/OS and execute rulesets. This class is ignored if server security is disabled.

Use the following ACF2 commands:

ACF
SET RESOURCE(HCO)
RECKEY <HBRSSID_NAME> ADD( - UID( HBRSSID_USE UID string) SERVICE(UPDATE) ALLOW)

  where <HBRSSID_USER> represents the server logonid.

Give READ access to the HBRSSID resource profile to each logonid you want to authorize. Use the following ACF2 commands:

ACF
SET RESOURCE(HCO)
RECKEY <HBRSSID_NAME> ADD( - UID( HBRSSID_USER UID string) SERVICE(READ) ALLOW)

Resource Class HBRCMD
Specifies the logonids that are authorized to issue zRule Execution Server for z/OS commands such as START, STOP, PAUSE or RESUME from the z/OS console (or equivalent). 

This class is ignored if server security is disabled.

Resource Class HBRCMD Resource Profiles:

<HBRSSID_NAME>.DUMP
<HBRSSID_NAME>.PAUSE
<HBRSSID_NAME>.RESUME
<HBRSSID_NAME>.SET.TRACE

Authorize each logonid to issue each command. Use the following ACF2 commands:

ACF
SET RESOURCE(HCM)
RECKEY <HBRSSID_NAME> ADD( DUMP UID( user UID string) SERVICE(UPDATE) ALLOW)
RECKEY <HBRSSID_NAME> ADD( PAUSE UID( user UID string) SERVICE(UPDATE) ALLOW)
RECKEY <HBRSSID_NAME> ADD( RESUME UID( user UID string) SERVICE(UPDATE) ALLOW)

The following example shows how to authorize logonid, SYSPROG1, to issue the SET TRACE command. Use the following ACF2 commands:

ACF
SET RESOURCE(HCM)
RECKEY <HBRSSID_NAME> ADD( SET.TRACE UID( SYSPROG1 UID string) SERVICE(UPDATE) ALLOW)

If the BPX.SERVER FACILITY class profile is defined, give the server logonid read access to the class profile using the following ACF2 commands:

ACF
SET RESOURCE(FAC)
RECKEY BPX ADD( SERVER UID( HBRSSID_USER UID string) SERVICE(READ) ALLOW)
F ACF2,REBUILD(FAC)

where HBRSSID_USER represents the server ID, which is the logonid under which the server runs.

Use command security to ensure that only authorized users can issue zRule Execution Server for z/OS® commands from the z/OS console.

zRule is looking for this EXTRACT call to fail with return codes of 4:8/0 which means NO PROFILE FOUND. Since CA ACF2 is setup to protect by default, and does not use profile records in the same way that RACF does, there needs to be a SAFDEF record in place to send back the return codes needed for the product. Here are some sample 

SAFDEF records to enable command security:

ACF
SET CONTROL(GSO)
INSERT SAFDEF.HBRADMIN ID(HBRADMIN) MODE(IGNORE) FUNCRET(8) -
  RACROUTE(REQUEST=EXTRACT CLASS=HBRADMIN ENTITYX=<HBRSSID_NAME>.NO.SUBSYS.SECURITY)
INSERT SAFDEF.HBRCMD ID(HBRCMD) MODE(IGNORE) FUNCRET(8) -
  RACROUTE(REQUEST=EXTRACT CLASS=HBRADMIN ENTITYX=<HBRSSID_NAME>.NO.COMMAND.SECURITY)
INSERT SAFDEF.HBRCONN ID(HBRCONN) MODE(IGNORE) FUNCRET(8) -
  RACROUTE(REQUEST=EXTRACT CLASS=HBRADMIN ENTITYX=<HBRSSID_NAME>.NO.CONNECT.SECURITY)
INSERT SAFDEF.HBRRES ID(HBRRES) MODE(IGNORE) FUNCRET(8) -
  RACROUTE(REQUEST=EXTRACT CLASS=HBRADMIN ENTITYX=<HBRSSID_NAME>.NO.RESCONSOLE.SECURITY)
F ACF2,REFRESH(SAFDEF)