When utilizing ACF2 SAF HFS Security when would the CA SAF HFS Security exit be needed?
Sites have 2 options for securing access to the Hierarchical File System, native (HFS)UNIX System Services security or CA SAF HFS Security. The CA SAF HFS Security exit can be used to customize CA SAF HFS Security installation-specific processing.
A sample CA SAF HFS Security exit in the format of a SMP/E usermod can be found in CAX1JCL0, member UM80001.
The following identify four possible situations that a site might want to use this optional CA SAF HFS Security exit.
- If a site's USS paths that are greater than 255 characters the optional CA SAF HFS Security exit can be used.
Your site can use the exit to provide a meaningful name. Before validation, all path names
are truncated, if necessary, to 255 characters. An exit point (HFSEXIT) is provided for use
when file names reside in paths that are greater than 255 characters. Your site can use the
exit to provide a meaningful name. See Exit Processing for more information.
- By default CA SAF HFS Security will translate the slash character delimiter and special characters in path names
and file names, if a site wants to use other characters or change the translation the optional CA SAF HFS Security
exit can be used.
CA ACF2 resource rule processing considers the period character as a delimiter. This delimiter is used when writing
extended resource rules, that is, to provide security for resource names of greater than forty characters. Path names,
however, use the slash character as a delimiter. Before a file is validated, the path name will have all slash characters,
with the exception of the first, translated into a period delimiter. Other special characters will be translated into the
dollar sign ($). These include characters that are used as masking characters in resource rules. If not translated, these
characters could create undesired results. The special characters include the period, asterisk, dash, plus, blank, and
quote. An exit point is provided that can further modify any character to meet special needs, with the exception of the
slash character, which will always be translated to a period delimiter.
- If the path name's first qualifier is greater than forty characters a site can use the CA SAF HFS Security exit to provide
a more meaningful first level qualifier.
CA ACF2 represents HFS path names as qualified resource names. One of the requirements of qualified resource names
is that the first qualifier must be 1-40 bytes in length. If, after translation, the HFS path name does not contain a period
in the first 41 bytes, the path name translation capability of the exit can be used to provide a meaningful first level qualifier.
- When implementing HFS file validation a site can change how user files are validated based on user directories. The CA SAF
Security exit can be used to recognize the user directory path and the resource can be translated into the $$userid format.
For example, path name /u/user01/proj1/file1.txt is translated to $$USER01.PROJ1.FILE1$TXT.
The CA SAF HFS Security exit can be used for Path Name Translation, which automatically translates the rule to the
$$userid format at validation time. This facility can be used if all user directories are anchored at the same location in
the file system. The exit defines this location to CA SAF HFS security as the useuser directory mount point. A common
location for user directories to be anchored is at the /u/ mount point. If this is the case, expanding upon the previous
example, path name /u/user01/proj1/file1.txt is translated to $$USER01.PROJ1.FILE1$TXT. Even if user directories are
not anchored in one central location, the exit can be used to create the $$userid format of the resource at validation time.
By default, no user directory path is recognized and the resource is not translated into the $$userid format.