ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

How can access be restricted to CICS regions for terminal users if the ACF2/CICS interface is not used.

book

Article ID: 145529

calendar_today

Updated On:

Products

ACF2 ACF2 - z/OS ACF2 - MISC

Issue/Introduction

CICS is not using the ACF2/CICS interface, but using SAF external security.  How can access be restricted to CICS regions for terminal users? This document was found in the IBM Knowledge Center.

Authorizing access to the CICS region


Environment

Release : 16.0

Component : CA ACF2 for z/OS

Resolution

Per IBM documentation, CICS will make a RACROUTE call under the APPL class.  ACF2 ignores APPL class calls by default.  So an override to a SAFDEF is needed.  The default CLASMAP for APPL class points to SAF, so that is recommended to be changed also.  Since other components of z/OS make APPL calls, a generic rule to allow the access or logging the access should be created.  Here are some examples for these changes.

$KEY(********) TYPE(APL)
 UID(-) ALLOW
 
SET CONTROL(GSO)
INSERT CLASMAP.APPL  ENTITYLN(8)  RESOURCE(APPL) RSRCTYPE(APL) LOG
CHANGE INFODIR TYPE(R-RAPL) ADD
F ACF2,REFRESH(CLASMAP)
F ACF2,REFRESH(INFODIR)
F ACF2,REBUILD(APL)
 
INSERT SAFDEF.APPL2 ID(APPL2) MODE(GLOBAL) RACROUTE(REQUEST=AUTH,CLASS=APPL)
F ACF2,REFRESH(SAFDEF)
 
At this point the system will still be working as before but making APPL validations and all are allowed.  Now APPL rules for CICS regions can be added.

$KEY(eight char CICS region applid) TYPE(APL)
 UID(uid string of user allowed to region) ALLOW
 UID(-) PREVENT                        <=== to prevent all other users


 

Additional Information

This talks about a APPLID in a CICS region.

https://www.ibm.com/support/knowledgecenter/SSGMCP_5.4.0/security/cics/dfht52l.html