If native CICS is used, how can ACF2 be setup to validate a user access to a CICS region?
search cancel

If native CICS is used, how can ACF2 be setup to validate a user access to a CICS region?

book

Article ID: 191231

calendar_today

Updated On:

Products

ACF2 ACF2 - z/OS ACF2 - MISC

Issue/Introduction

If the ACF2/CICS interface is not being used, but native CICS instead, how can ACF2 be setup to validate a user access to a CICS region?

Environment

Release : 16.0

Component : CA ACF2 for z/OS

Resolution

The IBM Knowledge Center has a document on "Authorizing access to the CICS region".  In there IBM discusses using the APPL class.  By a default SAFDEF record, ACF2 will ignore all APPL calls:
 
APPL     JOBNAME=********   USERID=********   PROGRAM=********   RB=********  
         RETCODE=4          SAFDEF=INTERNAL   MODE=IGNORE        SUBSYS=ACF2  
         FUNCRET=4          FUNCRSN=0                                         
                                                                              
         RACROUTE REQUEST=AUTH,REQSTOR='ACF9CSFV'                             

This will need to be overridden.  But first there are changes needed to be done because changing the SAFDEF because changing the SAFDEF by itself will more then likely grind the system to a halt.

ACF2 also uses a default CLASMAP record pointing to type code SAF.  ACF2 Support recommends that this be changed.  For this example, APP will be used.

INSERT CLASMAP.APPL RESOURCE(APPL) RSRCTYPE(APP) ENTITYLN(8)

Next  a default rule is needed, which requires a resident directory.

CHANGE INFODIR TYPES(R-RAPP) ADD

To make these changes active:

F ACF2,REFRESH(CLASMAP)
F ACF2,REFRESH(INFODIR)

Now a global rule to allow access to all the "other" APPL calls made on the system. If what APPL calls are needed to be seen in SMF data, change the rule line from ALLOW to LOG.

$KEY(********)
UID(-) ALLOW

After this is compiled, add it to resident storage. The following command will be needed after any rule changes to type APP:

F ACF2,REBUILD(APP)

Now the system is ready to add the SAFDEF to turn on validation for APPL class calls.

INSERT SAFDEF.APP ID(APP) MODE(GLOBAL) RACROUTE(REQUEST=AUTH REQSTOR=ACF9CSFV CLASS=APPL) REP

To activate it: F ACF2,REFRESH(SAFDEF)


NOTE:  To undo this, either change the SAFDEF to MODE(IGNORE) or delete the SAFDEF, and reissue the REFRESH command for SAFDEF.


At this point, rules can be added to validate users to the CICS regions.  In the $KEY, add the CICS APPLID for each region, and then add rule lines for the users that need to be allowed.  The following is only an example.  Check with the CICS System Programmer for the names of the APPLID on the CICS systems that need to validate the user access.
 
$KEY(CICS1) TYPE(APP)
 UID(uid string) ALLOW
 
$KEY(CICS2) TYPE(APP)
 UID(uid string) ALLOW
 
ROLESET rules can also be done if so inclined. 

Powered by Wolken Software