search cancel

Implementation of ACF2 security for IBM ALCS Airline Control System

book

Article ID: 200001

calendar_today

Updated On:

Products

ACF2 ACF2 - z/OS ACF2 - MISC

Issue/Introduction

What are the commands required to implement ACF2 security for IBM ALCS Airline Control System?

Environment

Release : 16.0

Component : CA ACF2 for z/OS

Resolution

The following JCL is an example of the required steps for setting up Airline Control System V2 as described in Installation and Customization Rel 4.1

//* ALCS Security - RACF to ACF2 translation

//*================================================================ 
//* This job does setup for  Airline Control System V2
//*===============================================================

//*  The discussion below includes IBM manual excerpts and ACF2-related comments
//*  that start with '*' in column 1. These are followed by ACF2 commands.
//*  The section number from the manual is included for further reference.

//*  There are 4 resource classes used in ALCS - 3 have defaults in ACF2 (i.e. SAF). 
//*   he resource class ALCSAUTH will default to the first three characters  of the 
//*  resource class - ALC, and needs no CLASMAP. 
//*  APPL        SAF    8      
//*  ALCSAUTH    ALC
//*  GTERMINL    SAF    8 
//*  TERMINAL    SAF    8

//*  CLASMAP records
//*  If you do not add the 3 CLASMAP records (below), CA ACF2 translates the classes 
//*  APPL, GTERMINL, TERMINAL to the default, SAF. Sites are recommended to specify a
//*  unique TYPE code for resource rules. In the example below, we selected 
//*  APL, GTM and TER. 
//*  NOTE: 
//* 

//CLASMAP EXEC PGM=IKJEFT01 
//SYSTSPRT DD SYSOUT=* 
//* 
//SYSTSIN DD *
ACF
SET CONTROL(GSO)
INSERT CLASMAP.APL RESOURCE(APPL) RSRCTYPE(APL)
INSERT CLASMAP.GTM RESOURCE(GTERMINL) RSRCTYPE(GTM)
INSERT CLASMAP.TER RESOURCE(TERMINAL) RSRCTYPE(TER)

//*

/* section 2.4.7, Default user IDs
//* 
//*  You can create profiles to control which user IDs can be default user IDs of your
//*  ALCS systems. These profiles have names of the form:
//*  luname.NOLOG

ACF 
SET RESOURCE(ALC)
RECKEY luname ADD( NOLOG UID(ALCS users uid string) SERVICE(READ) ALLOW)

//*  section 2.4.9 Terminal (TERMINAL and GTERMINL) profiles

//*  You can create profiles to control who can use particular terminals.
//*  If you create profiles for terminals where ALCS end users logon, you must ensure
//*  that the end users have READ access to the terminals that they use.
//*  For SNA terminals, the profile name is the * logical unit (LU) name of the 
//*  terminal. For terminals known only to ALCS (for example, ALC terminals), 
//*  the profile name is the ALCS CRN.
//*  Substitute actual (LU) name of the terminal, ALC terminal for 'terminal'
//*  'SNAterminal' and 'ALCS-CRN'

//* Sample GTERMINL rule

ACF
SET RESOURCE(GTM)
RECKEY terminal ADD( UID(ALCS users uid string) SERVICE(READ) ALLOW)
RECKEY SNAterminal ADD( UID(ALCS users uid string) SERVICE(READ) ALLOW)
RECKEY ALCS-CRN ADD( UID(ALCS users uid string) SERVICE(READ) ALLOW)

//*  Sample TERMINAL rule

SET RESOURCE(TER)
RECKEY terminal ADD( UID(ALCS users uid string) SERVICE(READ) ALLOW)
RECKEY SNAterminal ADD( UID(ALCS users uid string) SERVICE(READ) ALLOW)
RECKEY ALCS-CRN ADD( UID(ALCS users uid string) SERVICE(READ) ALLOW)


//*  section 2.4.11 ACB (VTAMAPPL) profiles

//*  Sample VTAMAPPL rule:


ACF
SET RESOURCE(APL)
RECKEY applid ADD( UID(ALCS users uid string) SERVICE(READ) ALLOW)

//* 
//*  section 2.4.12 ALCSAUTH profiles - overview

//*  If you have a production ALCS system that uses the LU name 'ALCSPROD' and
//*  test systems that use LU names 'ALCST1', and 'ALCST2', you define the profiles:
//*  ALCSPROD.CRAS.PRIME
//*  ALCST1.CRAS.PRIME
//*  ALCST2.CRAS.PRIME
//*  You use the RACF RDEFINE command to define a profile in the ALCSAUTH class.
//*  You use the RACF PERMIT command to grant access to the profile. You must
//*  PERMIT all users who need to use the function or facility that the profile protects.

//* Sample ALCSAUTH rule
ACF
SET RESOURCE(ALC)
RECKEY ALCSPROD ADD( CRAS.PRIME UID(ALCS users uid string) ALLOW)
RECKEY ALCST1 ADD( CRAS.PRIME UID(ALCS users uid string) ALLOW)
RECKEY ALCST2 ADD( CRAS.PRIME UID(ALCS users uid string) ALLOW)

//*
//* section 2.4.13 ALCSAUTH profiles - HFS functions

//* You can create a profile to control which user IDs can access functions which
//* update the ALCS hierarchical file system (HFS). This profile has a name of the
//* form:
//* luname.ALCSAPPL.HFS

ACF 
SET RESOURCE(ALC)
RECKEY luname ADD( ALCSAPPL.HFS UID(ALCS users uid string) SERVICE(UPDATE) ALLOW)

//*
//* section 2.4.14 ALCSAUTH profiles - XCF group names
//* You can create profiles to control who can start ALCS instances that join XCF
//* groups. These profiles have names of the form:
//* luname.XCFGROUP

ACF 
SET RESOURCE(ALC)
RECKEY luname ADD( XCFGROUP UID(ALCS users uid string) SERVICE(READ) ALLOW)


//*  section 2.4.16 ALCSAUTH profiles - CRAS authority
//*  You can create profiles to control which user IDs can access your ALCS systems
//*  with CRAS authority. These profiles have names of the form:
//*  luname.CRAS.type

ACF 
SET RESOURCE(ALC)
RECKEY luname ADD( CRAS.type UID(ALCS users uid string) SERVICE(READ) ALLOW)

//*
//*  section 2.4.17 ALCSAUTH profiles - application functions

//*  You can create profiles to control which user IDs can access various functions and
//*  facilities of your ALCS applications. These profiles have names of the form:
//*  luname.ALCSAPPL.appl.qual
//*  Where:
//*    appl = CRN of an ALCS application
//*    qual = One or more qualifiers joined by period (full stop) characters. Together
//*    these qualifiers identify a facility or function of your application.

ACF 
SET RESOURCE(ALC)
RECKEY luname ADD( ALCSAPPL.appl.qual UID(ALCS users uid string) SERVICE(READ) ALLOW)
RECKEY luname ADD( ALCSAPPL.appl.qual2 UID(ALCS users uid string) SERVICE(READ, UPDATE) ALLOW)

//*  When an ALCS application calls the AUTHC service, ALCS checks that the user
//*  ID that originated the transaction has access to the corresponding profile in
//*  the ALCSAUTH class. AUTHC parameters specify the required level of access
//*  (READ, UPDATE, and so on).

//* ----------------------

//*  2.4.4 Protecting the ALCS product libraries

//*  ACCESS(ALTER) on PERMIT ’DXC.*’ ID(user1) ACCESS(ALTER) is required
//*  to maintain the product libraries. 
//*  ACCESS(READ) should be specified for all other ALCS system programmers 
//*  and application developers
//*  PERMIT ’DXC.*’ ID(alcssysp) ACCESS(ALTER)

ACF
SET RULE
RECKEY DXC ADD( - UID(uid that does maint) ALLOC(A))
RECKEY DXC ACC( - UID(other users including pgmrs) READ(A))

//*

Additional Information

IBM Documentation List for IBM ALCS V2.4.1