How to restrict access to TPX application in an ACF2 environment.
search cancel

How to restrict access to TPX application in an ACF2 environment.

book

Article ID: 136960

calendar_today

Updated On:

Products

TPX - Session Management

Issue/Introduction

TPX interface for ACF2 does not use SAF calls rather it uses an SVC call.

Hence a standard SAF resource rule will not work to verify access to the TPX application.

There will be no entries found if a sectrace is initiated.

Environment

TPX 5.4

ACF2 16.0

z/OS

Resolution

Access to TPX can be restricted in an ACF2 environment by resource rule of type (APL).


Sample resource rule :

$KEY(TPX) TYPE(APL)                                            
 UID(USR01) PREVENT
 UID(*) ALLOW


Since the TPX calls are non-SAF this will not work. ACF2 handles non-SAF calls differently.

ACF2 C(GSO) OPTS field, controls APPL validations for 'non-SAF' requests using parm  XAPPLVLD.


XAPPLVLD | NOXAPPLVLD


Specifies whether CA ACF2 will assign an APPL if no APPL is passed by the caller.

On a SAF VERIFY/VERIFYX request, CA ACF2 will assign an APPL or 'MVS' followed by

the 4-character SMFID of the system. On a NON-SAF signon request, if no APPL is

passed by the caller, CA ACF2 will assign an APPL of 'TSO' followed by the

4-character SMFID of the system for TSO signon or 'MVS' followed by the

4-character SMFID of the system for any other signon.


Default:

NOXAPPLVLD


Using XAPPLVLD will require an update to SAMT(table) for ACF2 in TPX, for Return code ACF01046NOT AUTHORIZED TO APPL TPX.

Add an entry #0001046 to the SAMT table and RELOAD to activate new table.