What exactly is the FASTPATH processing and the audit trail documented in the Admin Guide?

Document ID : KB000011175
Last Modified Date : 14/02/2018
Show Technical Document Details
Question:

In Chapter 21: z/OS UNIX System Services Support of the CA ACF2 Admin Guide, there is a section that talks about OMVS and ACF2 FASTPATH processing and an audit trail. What exactly does this mean?

Answer:

The OMVS FASTPATH processing is determined when OMVS initializes. OMVS makes a FASTAUTH call with a resource name of BPX.SAFFASTPATH. If access to this resource is allowed, then OMVS will do permission bit checking internally, and CA ACF2 will not be involved, and there will not be any audit trail done for checking. If your site would prefer to have CA ACF2 do the permission bit checking, and have an audit trail kept in the SMF records and reported on with the ACFRPTOM report, then access should be denied for the BPX.SAFFASTPATH call.

The BPX.SAFFASTPATH call could be allowed because of an ACF2 rule, or because the OMVS address space has NON-CNCL. If OMVS has NON-CNCL, then as documented, the following SAFDEF needs to be added to the system:

INSERT SAFDEF.OEFSTART FUNCRET(4) ID(OEFSTAUT) JOBNAME(OMVS) MODE(IGNORE) RB(BPX-) RACROUTE
(REQUEST=AUTH CLASS=FACILITY ENTITY=BPX.SAFFASTPATH) REP 

If OMVS is not running with NON-CNCL, then make sure that the BPX rule is set up to prevent access:

$KEY(BPX) TYPE(FAC) 
SAFFASTPATH UID(uid for OMVS stc) PREVENT 

and this rule must be RESIDENT in ACF2 because the call is a FASTAUTH call.