Process flow for TPX profile access, to build dynamic users session menu in an ACF2 environment
Article ID: 143231
Updated On:
Products
Issue/Introduction
RTPX-$DEFAULT TRC RTPX-$DEFAULT Result -> ACCESS ALLOWED
RTPX-IMSPROF TRC RTPX-IMSPROF Result -> ACCESS DENIED
RTPX-STXPROF TRC RTPX-******** Result -> ACCESS ALLOWED
RTPX-#DEFAULT TRC RTPX-******** Result -> ACCESS ALLOWED
- How does TPX determine the order for checking access against the existing profiles ?
- How is the session list then built ?
- Is it a collected superset ?
Users are dynamic,
ACF2 resource rules in effect are:
$KEY($DEFAULT) TYPE(TPX)
UID(*) LOG
$KEY(********) TYPE(TPX)
UID(*) LOG
$KEY(BASEPROF) TYPE(TPX)
UID(*) PREVENT
$KEY(IMSPROF) TYPE(TPX)
UID(*) PREVENT
Environment
Release : 5.4
Component : z/OS
Resolution
If TPX Profile Selection = PROFILE is defined in the TPX SMRT option 9, as the validation method in an ACF2 environment, for Dynamic users, then ACF2 Resource Rule validation for
Resource Class: {RTPX / Type TPX) is implemented for ALL PROFILES created in TPX.
There should be an ACF2 Resource Rule for each created profile in TPX, in the form,
$KEY(profile-name) TYPE(TPX)
UID(*) ALLOW or PREVENT
The Dynamic users Session list (Menu), is built as a collected composite of what a dynamic user is allowed access to, based on the Resource Rules for 'that' profile.
If NO ACF2 resource rule is present, a blank Menu (session list) will be displayed.
It is recommended to create a general resource rule to allow ALL Dynamic users access in order to test validity of setup.
$KEY(********) TYPE(TPX)
UID(*) ALLOW or LOG
However, consider removing this once it has been been determined which set of users are allowed to a specific Profile.
ACF2 Rules can then be implemented to enforce specific profiles to dynamic users.
Feedback
