search cancel

z/osmf security setup with ACF2

book

Article ID: 229652

calendar_today

Updated On:

Products

ACF2 - z/OS

Issue/Introduction

 Is role based security required for setup of z/osmf? 
 The only guide I could find was role based and not UID based
Are cloud rules required for the setup? 

 

Environment

Release : 16.0

Component : ACF2 for z/OS

Resolution

https://techdocs.broadcom.com/us/en/ca-mainframe-software/security/ca-acf2-for-z-os/16-0/installing/configure-z-os-management-facility-for-ca-acf2.html

Although the documentation and the sample jcl all reference ROLE based security, it is not a REQUIREMENT.
If you do not want to write roleset rules, you can convert them to UID rulesets.

for example..
SET RESOURCE(ZMC)                                                
RECKEY IZUDFLT ADD(ZOSMF.RESOURCE_POOL.WLM.IYU0 ROLE(IYU0RPAW) - 
SERVICE(READ) ALLOW)        

the TYPE(ZMC) rule can be created as a uid ruleset  after ascertaining which users
would be included  in ROLE IYU0RPAW.
if that would be user01, user02 and user03 the rule could be written as

SET RESOURCE(ZMC)                                                
RECKEY IZUDFLT ADD(ZOSMF.RESOURCE_POOL.WLM.IYU0 UID(<user01>) - 
SERVICE(READ) ALLOW)         

RECKEY IZUDFLT ADD(ZOSMF.RESOURCE_POOL.WLM.IYU0 UID(<user02>) - 
SERVICE(READ) ALLOW)

RECKEY IZUDFLT ADD(ZOSMF.RESOURCE_POOL.WLM.IYU0 UID(<user03>) - 
SERVICE(READ) ALLOW)
END
                             

What you would need to do is assign all users that would be associated with each group/role and then change
the rules to be UIDs instead of specifying the role.

I believe that cloud is required for v2r3 or above.
I would suggest that you start with member ACFMFSEC in CAX1JCL0
and then you can add other components as required.