Not clear on setting up the map between the RSA userid and the ACF2 userid. For instance, if the RSA userid is userFirstName.userLastName and the ACF2 userid is USER001, how is that implemented? Sites may have several hundred users who will need this access, is there an automated way of accomplishing this without having to manually create a map for each ID?

Release : 16.0

Component : CA ACF2 for z/OS

Sometimes the RSA userid and the CA ACF2 logonid do not match for a user. RSA mapped userids can be up to 64 bytes long. Optionally, you can map an RSA userid to a CA ACF2 logonid. A user-defined logonid field can be used to store the RSA userid in the CA ACF2 logonid record for the user. 

Step 1

This is done by making the appropriate logonid update via usermod UM99901 then issuing the following command: F ACF2,NEWMOD(ACFFDR). A NEWMOD of the ACFFDR cannot be used to update the UID string, SVC or SMF numbers, an IPL is required to modify these ACFFDR options.

• You need to use extreme caution when adding fields to the logonid record since this record is used to determine resource access. For example, if you add fields to the logonid record, you need to ensure that this change does not alter the order, length, or offset of the fields that comprise the UID string or any other field that was previous defined.
  
  
• The safest way to add a site-defined field to the ACF2 logonid record is to add the field at the end of the user portion of the logonid record - in either USERLID or USERXLID sections. This way, the field is only using unused blank bytes at the end of the user portion of the logonid record.
  
  
• You should never add any user-defined fields to the ACFLID or ACFXLID sections of the logonid record as these are reserved for ACF2 defined fields only.
  
  
• For example, to create new a user-defined logonid field LIDRSAID:
  
  Create the new LIDRSAID internal field in the USERLID or USERXLID DSECT:
   
  LIDRSAID DS    CL64      *** RSA USERID
  

  Next update the USERCFDE to include a new @CFDE definition for the USERLID or USERXLID field (LIDRSAID)

  @CFDE  RSAID,LIDRSAID,CHAR,ALTER=SECURITY+ACCOUNT,LIST=ALL,PRTN=1,
               RRTN=1,GROUP=0,ZERO=YES 
  
  Note: RSAID is the external field name. LIDRSAID is the internal DSECT field name.

Step 2

The user-defined logonid field is then referenced in the $USERDATA line of a resource rule called RSAUMAP in the CASECMFA class, as follows:

$KEY(RSAUMAP) TYPE(CAS)
$USERDATA(user_defined_logonid_field_name)

For example, if the user-defined logonid field is called RSAID, the rule would be:

$KEY(RSAUMAP) TYPE(CAS)
$USERDATA(RSAID)

After the RSAUMAP rule is stored, issue the F ACF2,REBUILD(CAS) command to make it active.

Step 3

Add the RSA userid in the ACF2 logonid record for the user.

ACF
CHANGE USER001 RSAID(RSA userid)

NOTE: CA ACF2 reverts to using the regular CA ACF2 logonid for the RSA signon validation when one of the following conditions is true:

• There is no RSAUMAP rule.
• There is no $USERDATA in the RSAUMAP rule.
• The Logonid field defined in the $USERDATA is not defined as type character.
• The Logonid field defined in the $USERDATA is empty.

RSA mapped userids can be up to 64 bytes long.