ZFS file system setup / considerations for z/OS 1.12 and 1.13 - New resource class FSACCESS per IBM apar OA35970 / OA35974

Document ID : KB000021731
Last Modified Date : 14/02/2018
Show Technical Document Details

Introduction:

IBM added a new function to check a user's authority to access the file system objects on z/OS UNIX zFS file systems using the new SAF FSACCESS resource class. This support was added by IBM in OA35970/OA35974 for z/OS 1.12 and 1.13. The CA ACF2 support for this was added with z/OS 1.13 support listed in Upgrade solution RI35635. Superuser authority is not checked for this access. This check is intended to be "coarse grained" - in that if the user is not authorized to this resource, then no further checking will be performed, and the user will not be allowed access to the zFS, even if they are a superuser. If the user is authorized to the z/OS UNIX zFS file system container profile, then the file permission bits and ACLs that are associated with the individual z/OS UNIX file system objects will then govern the access to the file or directory, or if CA SAF HFS security is enabled then the corresponding CA ACF2 resource rules govern access, as it is done today.

Since CA ACF2 protects resources by default, access to all users of zFS, including superusers, would be denied without adding needed resource rules with this support in place.

Note: This FSACCESS resource validation is only for UNIX zFS file systems - NOT hFS file systems.

Instructions:

Before you begin: You need to know which users or groups will be given access to the specified file system.

For our example, the zFS is named: OMVS.ZFS.WEBSRV.TOOLS

CA ACF2 maintenance added a type code of FSA to the internal CLASMAP table for this new feature. If you wish to use a different type code, you will need to define your own CLASMAP. The resource rule for the zFS would look like this:

$KEY(OMVS) TYPE(FSA)
ZFS.WEBSRV.TOOLS UID(uid string of the user) SERVICE(UPDATE) ALLOW

This new resource class uses FASTAUTH calls, so the rules need to be made resident in GSO:

CHANGE INFODIR TYPES(R-RFSA) ADD
F ACF2,REFRESH(INFODIR)
F ACF2,REBUILD(FSA)

The REBUILD command will need to be issued after all rule changes.