Determine If SDSF Is Setup To Use SAF With Top Secret
search cancel

Determine If SDSF Is Setup To Use SAF With Top Secret


Article ID: 185335


Updated On:


Top Secret


Is there a way to determine if SDSF is set up to use SAF with Top Secret, including how the GRPINDEX in SDSF is being setup for each TSOID?


Release : 16.0

Component : CA Top Secret for z/OS


Issue TSS WHOOWNS SDSF(*) to see what resources are owned in the SDSF resource class. SDSF uses SAF to make its initial call for external security. If external security ignores the call (ie return code of 04 meaning the resource is not defined), then SDSF internal security is used utilizing the ISFPARMS dataset.

From the IBM z/OSMF SDSF Settings Help documentation at the following link:

GRPINDEX - Index of your group in the SDSF PARMLIB member ISFPRMxx or in the SDSF customization module ISFPARMS. For example, an index number of 3 indicates that you were assigned to the group defined by the third GROUP statement in ISFPRMxx.

In RACF, to authorize membership in a group in ISFPARMS, the following commands are used:

 PERMIT CLASS(SDSF) ID(userid or  groupid) 

The Top Secret equivalent commands are:


‘dept’ is the deparment acid you want to own the resource.
‘acid’ is the user’s acid, an attached profile, or the ALL record if all users should have access.

If a name is not assigned to a group, SDSF generates one in the format: ISF plus the index value of the group, in the format ISFnnnnn.

The ISFPARMS and statements shipped with SDSF use the following group names:
ISFSPROG for group 1 resource: GROUP.ISFSPROG.SDSF
ISFOPER for group 2 resource: GROUP.ISFOPER.SDSF
ISFUSER for group 3 resource: GROUP.ISFUSER.SDSF