The IBM Knowledge Center has a document on "Authorizing access to the CICS region
". In there IBM discusses using the APPL class. By a default SAFDEF record, ACF2 will ignore all APPL calls: APPL JOBNAME=******** USERID=******** PROGRAM=******** RB=******** RETCODE=4 SAFDEF=INTERNAL MODE=IGNORE SUBSYS=ACF2 FUNCRET=4 FUNCRSN=0 RACROUTE REQUEST=AUTH,REQSTOR='ACF9CSFV'
This will need to be overridden. But first there are changes needed to be done because changing the SAFDEF because changing the SAFDEF by itself will more then likely grind the system to a halt.
ACF2 also uses a default CLASMAP record pointing to type code SAF. ACF2 Support recommends that this be changed. For this example, APP
will be used.INSERT CLASMAP.APPL RESOURCE(APPL) RSRCTYPE(APP) ENTITYLN(8)
Next a default rule is needed, which requires a resident directory.CHANGE INFODIR TYPES(R-RAPP) ADD
To make these changes active:F ACF2,REFRESH(CLASMAP)F ACF2,REFRESH(INFODIR)
Now a global rule to allow access to all the "other" APPL calls made on the system. If what APPL calls are needed to be seen in SMF data, change the rule line from ALLOW to LOG.$KEY(********)UID(-) ALLOW
After this is compiled, add it to resident storage. The following command will be needed after any rule changes to type APP:F ACF2,REBUILD(APP)
Now the system is ready to add the SAFDEF to turn on validation for APPL class calls.INSERT SAFDEF.APP ID(APP) MODE(GLOBAL) RACROUTE(REQUEST=AUTH REQSTOR=ACF9CSFV CLASS=APPL) REP
To activate it: F ACF2,REFRESH(SAFDEF)
NOTE: To undo this, either change the SAFDEF to MODE(IGNORE) or delete the SAFDEF, and reissue the REFRESH command for SAFDEF.
At this point, rules can be added to validate users to the CICS regions. In the $KEY, add the CICS APPLID for each region, and then add rule lines for the users that need to be allowed. The following is only an example. Check with the CICS System Programmer for the names of the APPLID on the CICS systems that need to validate the user access. $KEY(CICSPRD1) TYPE(APP) UID(uid string) ALLOW $KEY(CICSTST2) TYPE(APP) UID(uid string) ALLOW
ROLESET rules can also be done if so inclined.