When setting up our new Multi-User Facility (called MUF) for CA 7, I have a couple questions about the started task UserID/LogonID.
Does my userid need to be the same as the STCname?
Does this userid need any special attributes or privileges (like NON-CNCL)?
Do I also need to use all the ACF2 rules defined for CA 7 in the CAL2OPTN member?
Release : 15.1
Component : Datacom/AD
Datacom/AD does not have any requirement for the STC ID and the Userid that runs it to be the same. In terms of the STC name, many clients will have the STC name match the MUFname/CXXname, and we believe that this makes it easier to maintain the MUF or to issue commands from the console or from your automation tool and know which MUF you are affecting.
Noter that the userid that runs the MUF cannot have any special privileges that would override the access controls that are explicitly defined in the External Security rules or profiles. For example, in order for External Security to be enabled, certain resources will deny access to the MUF userid. By defining the ID with NON-CNCL, the ID will override those denials, and thus the resource will not enable.
For example, in the ACF2 definitions is the command
RECKEY ACTIVATE ADD(LEVEL05.FAIL UID(mufuid) PREVENT)
which means that the MUF ID should not be granted access to this resource via "special" privileges.
Likewise, the ACF2 privilege READALL may grant special access when we need access to be denied.
At the rule level, rules should not use WARN mode, as that grants access to override failures that must be denied.
Finally, the CAL2OPTN members contain all the necessary security definitions to configure the security system for CA 7 operation.
As always, please contact Broadcom support for Datacom if you have further questions.