Not clear on setting up the map between the RSA userid and the ACF2 userid. For instance, if the RSA userid is userFirstName.userLastName and the ACF2 userid is USER001, how is that implemented? Sites may have several hundred users who will need this access, is there an automated way of accomplishing this without having to manually create a map for each ID?
Release : 16.0
Component : CA ACF2 for z/OS
Sometimes the RSA userid and the CA ACF2 logonid do not match for a user. RSA mapped userids can be up to 64 bytes long. Optionally, you can map an RSA userid to a CA ACF2 logonid. A user-defined logonid field can be used to store the RSA userid in the CA ACF2 logonid record for the user.
Step 1
This is done by making the appropriate logonid update via usermod UM99901 then issuing the following command: F ACF2,NEWMOD(ACFFDR). A NEWMOD of the ACFFDR cannot be used to update the UID string, SVC or SMF numbers, an IPL is required to modify these ACFFDR options.
Next update the USERCFDE to include a new @CFDE definition for the USERLID or USERXLID field (LIDRSAID)
@CFDE RSAID,LIDRSAID,CHAR,ALTER=SECURITY+ACCOUNT,LIST=ALL,PRTN=1,
RRTN=1,GROUP=0,ZERO=YES
Note: RSAID is the external field name. LIDRSAID is the internal DSECT field name.
Step 2
The user-defined logonid field is then referenced in the $USERDATA line of a resource rule called RSAUMAP in the CASECMFA class, as follows:
$KEY(RSAUMAP) TYPE(CAS)
$USERDATA(user_defined_logonid_field_name)
For example, if the user-defined logonid field is called RSAID, the rule would be:
$KEY(RSAUMAP) TYPE(CAS)
$USERDATA(RSAID)
After the RSAUMAP rule is stored, issue the F ACF2,REBUILD(CAS) command to make it active.
Step 3
Add the RSA userid in the ACF2 logonid record for the user.
ACF
CHANGE USER001 RSAID(RSA userid)
NOTE: CA ACF2 reverts to using the regular CA ACF2 logonid for the RSA signon validation when one of the following conditions is true:
RSA mapped userids can be up to 64 bytes long.