When utilizing ACF2 SAF HFS Security when would the CA SAF HFS Security exit be needed?

Document ID : KB000012224
Last Modified Date : 14/02/2018
Show Technical Document Details
Question:

When utilizing ACF2 SAF HFS Security when would the CA SAF HFS Security exit be needed?

Answer:

Sites have 2 options for securing access to the Hierarchical File System, native (HFS)UNIX System Services security or  CA SAF HFS Security.  The CA SAF HFS Security exit can be used to customize CA SAF HFS Security installation-specific processing.

A sample CA SAF HFS Security exit in the format of a SMP/E usermod can be found in CAX1JCL0, member UM80001. 

The following identify four possible situations that a site might want to use this optional CA SAF HFS Security exit. 

  1. If a site's USS paths that are greater than 255 characters the optional CA SAF HFS Security exit can be used.

    Your site can use the exit to provide a meaningful name. Before validation, all path names
    are truncated, if necessary, to 255 characters. An exit point (HFSEXIT) is provided for use
    when file names reside in paths that are greater than 255 characters. Your site can use the
    exit to provide a meaningful name. See Exit Processing for more information.

  2. By default CA SAF HFS Security will translate the slash character delimiter and special characters in path names
    and file names, if a site wants to use other characters or change the translation the optional CA SAF HFS Security
    exit can be used.

    CA ACF2 resource rule processing considers the period character as a delimiter. This delimiter is used when writing
    extended resource rules, that is, to provide security for resource names of greater than forty characters. Path names,
    however, use the slash character as a delimiter. Before a file is validated, the path name will have all slash characters,
    with the exception of the first, translated into a period delimiter. Other special characters will be translated into the
    dollar sign ($). These include characters that are used as masking characters in resource rules. If not translated, these
    characters could create undesired results. The special characters include the period, asterisk, dash, plus, blank, and
    quote. An exit point is provided that can further modify any character to meet special needs, with the exception of the
    slash character, which will always be translated to a period delimiter.

  3. If the path name's first qualifier is greater than forty characters a site can use the CA SAF HFS Security exit to provide
    a more meaningful first level qualifier.

    CA ACF2 represents HFS path names as qualified resource names. One of the requirements of qualified resource names
    is that the first qualifier must be 1-40 bytes in length. If, after translation, the HFS path name does not contain a period
    in the first 41 bytes, the path name translation capability of the exit can be used to provide a meaningful first level qualifier.

  4. When implementing HFS file validation a site can change how user files are validated based on user directories. The CA SAF
    Security exit can be used to recognize the user directory path and the resource can be translated into the $$userid format.
    For example, path name /u/user01/proj1/file1.txt is translated to $$USER01.PROJ1.FILE1$TXT.

    The CA SAF HFS Security exit can be used for Path Name Translation, which automatically translates the rule to the
    $$userid format at validation time. This facility can be used if all user directories are anchored at the same location in
    the file system. The exit defines this location to CA SAF HFS security as the useuser directory mount point. A common
    location for user directories to be anchored is at the /u/ mount point. If this is the case, expanding upon the previous
    example, path name /u/user01/proj1/file1.txt is translated to $$USER01.PROJ1.FILE1$TXT. Even if user directories are
    not anchored in one central location, the exit can be used to create the $$userid format of the resource at validation time.
    By default, no user directory path is recognized and the resource is not translated into the $$userid format.