Conversion of RACF security setup to ACF2 security setup for TKE Host Transaction Program product
Article ID: 202430
Updated On:
Products
Issue/Introduction
TKE security setup from RACF commands to ACF2 commands
Environment
Release : 16.0
Component : CA ACF2 for z/OS
Resolution
RACF commands are in black type, ACF2 commands are in red type
You will associate a RACF profile or group with the TKE Host Transaction Program.
The STCuser associated with the TKE host transaction program must be authorized
to all the APIs in the CSFSERV class it will use.
Create a STARTED class profile to assign a user ID to the TKE HTP STC.
SETR CLASSACT(STARTED)
SETR RACLIST(STARTED)
RDEFINE STARTED CSFTTCP.CSFTTCP STDATA(USER(STCuser))
SETROPTS RACLIST(STARTED) REFRESH
Create a logonid and then create a C(GSO) stc record to relate the logonid
to the procedure.
ACF
SET LID
INSERT STCuser STC NAME(TKE HTP STC)
SET CONTROL(GSO)
INSERT STC.TKE LOGONID(STCuser) STCID(CSFTTCP)
F ACF2,REFRESH(STC)
END
Permit the HTPUSER user ID to the ICSF services the HTP requires.
PERMIT CSFCRC CLASS(CSFSERV) ID(STCuser) ACCESS(READ)
PERMIT CSFKIM CLASS(CSFSERV) ID(STCuser) ACCESS(READ)
PERMIT CSFKRC CLASS(CSFSERV) ID(STCuser) ACCESS(READ)
PERMIT CSFKRD CLASS(CSFSERV) ID(STCuser) ACCESS(READ)
PERMIT CSFKRR CLASS(CSFSERV) ID(STCuser) ACCESS(READ)
PERMIT CSFKRW CLASS(CSFSERV) ID(STCuser) ACCESS(READ)
PERMIT CSFKYT CLASS(CSFSERV) ID(STCuser) ACCESS(READ)
PERMIT CSFKYT2 CLASS(CSFSERV) ID(STCuser) ACCESS(READ)
PERMIT CSFPCI CLASS(CSFSERV) ID(STCuser) ACCESS(READ)
PERMIT CSFPKRC CLASS(CSFSERV) ID(STCuser) ACCESS(READ)
PERMIT CSFPKRW CLASS(CSFSERV) ID(STCuser) ACCESS(READ)
PERMIT CSFPKI CLASS(CSFSERV) ID(STCuser) ACCESS(READ)
SETROPTS RACLIST(CSFSERV) REFRESH
ACF
SET R(CSF)
RECKEY CSFCRC ADD( USER(STCuser) SERVICE(READ) ALLOW)
RECKEY CSFKIM ADD( USER(STCuser) SERVICE(READ) ALLOW)
RECKEY CSFKRC ADD( USER(STCuser) SERVICE(READ) ALLOW)
RECKEY CSFKRD ADD( USER(STCuser) SERVICE(READ) ALLOW)
RECKEY CSFKRR ADD( USER(STCuser) SERVICE(READ) ALLOW)
RECKEY CSFKRW ADD( USER(STCuser) SERVICE(READ) ALLOW)
RECKEY CSFKYT ADD( USER(STCuser) SERVICE(READ) ALLOW)
RECKEY CSFKYT2 ADD( USER(STCuser) SERVICE(READ) ALLOW)
RECKEY CSFPCI ADD( USER(STCuser) SERVICE(READ) ALLOW)
RECKEY CSFPKRC ADD( USER(STCuser) SERVICE(READ) ALLOW)
RECKEY CSFPKRW ADD( USER(STCuser) SERVICE(READ) ALLOW)
RECKEY CSFPKI ADD( USER(STCuser) SERVICE(READ) ALLOW)
F ACF2,REFRESH(CSF)
To protect module CSFTTKE from unauthorized users, you must protect it
using the installed External Security Manager.
This example permits the user ID or group assigned to the CSFTTCP started
task to the CSFTTKE profile in the FACILITY class:
SETR CLASSACT(FACILITY)
SETR RACLIST(FACILITY)
RDEFINE FACILITY CSFTTKE UACC(NONE)
PERMIT CSFTTKE CLASS(FACILITY) ID(STCuser) ACCESS(READ)
SETROPTS RACLIST(FACILITY) REFRESH
ACF
SET R(FAC)
RECKEY CSFTTKE ADD( USER(STCuser) SEVICE(READ) ALLOW)
F ACF2,REFRESH(FAC)
END
The module (CSFTTKE) must also be protected, using the APPL class to
control which users (using the TKE) can use the application when they enter the system.
SETR CLASSACT(APPL)
SETR RACLIST(APPL)
RDEFINE APPL CSFTTKE UACC(NONE)
PERMIT CSFTTKE CLASS(APPL) ID(TKEuser) ACCESS(READ)
SETROPTS RACLIST(APPL) REFRESH
The default type code for CLASS(APPL) is SAF.
If you wish to change this you will need to add a clasmap record
and optionally an INFODIR entry
ACF
SET CONTROL(GSO)
INSERT CLASMAP.APPL RESOURCE(APPL) RSRCTYPE(APP)
CHANGE INFODIR TYPES(R-RAPP) ADD
F ACF2,REFRESH(CLASMAP)
F ACF2,REFRESH(INFODIR)
SET R(APP)
RECKEY CSFTTKE ADD( USER(TKEuser) SERVICE(READ) ALLOW)
F ACF2,REBUILD(APP)
END
Feedback
