Process flow for TPX profile access, to build dynamic users session menu in an ACF2 environment

book

Article ID: 143231

calendar_today

Updated On:

Products

CA TPX - Session Management TPX- PACKAGE TPX SESSION MANAGEMENT

Issue/Introduction

During implementation of TPX 'profile selection' for PROFILE authentication using ACF2 resource rules, tracing confirms, security validation is being implemented. 

RTPX-$DEFAULT     TRC  RTPX-$DEFAULT  Result ->    ACCESS ALLOWED
RTPX-BASEPROF   TRC  RTPX-BASEPROF  Result ->   ACCESS DENIED
RTPX-IMSPROF      TRC  RTPX-IMSPROF   Result ->     ACCESS DENIED
RTPX-STXPROF     TRC  RTPX-********  Result ->           ACCESS ALLOWED
RTPX-#DEFAULT    TRC  RTPX-********  Result ->           ACCESS ALLOWED

- How does TPX determine the order for checking access against the existing profiles ?
- How is the session list then built ? 
- Is it a collected superset ?

Users are dynamic, 
ACF2 resource rules in effect are:

$KEY($DEFAULT) TYPE(TPX)                 
 UID(*) LOG                          

$KEY(********) TYPE(TPX)        
 UID(*) LOG                                              
                                                         
$KEY(BASEPROF) TYPE(TPX) 
 UID(*) PREVENT                                          
                                                         
$KEY(IMSPROF) TYPE(TPX)    
 UID(*) PREVENT 

Environment

Release : 5.4
Component : z/OS

Resolution

If TPX Profile Selection = PROFILE is defined in the TPX SMRT option 9, as the validation method in an ACF2 environment, for Dynamic users, then ACF2 Resource Rule validation for
Resource Class: {RTPX / Type TPX) is implemented for ALL PROFILES created in TPX.

There should be an ACF2 Resource Rule for each created profile in TPX, in the form,

$KEY(profile-name) TYPE(TPX)                
 UID(*) ALLOW or PREVENT


The Dynamic users Session list (Menu), is built as a collected composite of what a dynamic user is allowed access to, based on the Resource Rules for 'that' profile.
If NO ACF2 resource rule is present, a blank Menu (session list) will be displayed.

It is recommended to create a general resource rule to allow ALL Dynamic users access in order to test validity of setup. 

$KEY(********) TYPE(TPX)                
 UID(*) ALLOW or LOG


H
owever, consider removing this once it has been been determined which set of users are allowed to a specific Profile.
ACF2 Rules can then be implemented to
enforce specific profiles to dynamic users.