How to secure user USS directories with ACF2 SAF HFS Security

Products

ACF2 - z/OS

Issue/Introduction

The CA SAF Security exit can be used to recognize the user directory path and the resource can be translated into the $$userid format.
For example, path name /u/user01/xxxx/file1.txt is translated to $$USER01.xxxx.FILE1$TXT.

Environment

Release : 16.0

Component : ACF2 for z/OS

Resolution

Sample SMP/E usermod found in CAX1JCL0 member UM80001 can be used for path name translation so that user's USS directories using a TYPE(HFS) rule whose $KEY is associated with the user's logonid($$logonid) rather than the full path. The usermod assembles and links CAX1SRC0 assembler source member SAFHFUSR.

When the SAFHFUSR exit returns a user directory path location, Broadcom SAF HFS processing uses that path name to determine if the path name to be validated should be translated to a form such that the user ID of the owner of the path becomes the high-level qualifier of the path name. This allows HFS file rules to be written at the user level and, if running in a decentralized environment, allow users to maintain their own HFS file rules. The default is that no translation takes place for user directories.

For example, logonid USER01 has a USS directory /y/user01, if the exit returns the value /u/ as the user directory path name location, and the file accessed is /u/user01/xfile(where USER01 is the logonid), then the resource name validated is $$USER01.XFILE rather than /u/user01/xfile. A rule to allow logonid USER01 access to all files in user01 directory could be:

$KEY($$USER01) TYPE(HFS) XFILE
- UID(uid string for user001) ALLOW

When the exit returns the character 'Y' indicating that user ownership of files within one's own directory is in effect, no validation is performed when the current user's logonid matches that in the user directory. In the previous example, validation is bypassed when USER01 accesses file /u/user01/xfile. This option is meaningless if a user directory path location is not also returned.

The SAFHFUSR source as distributed the location that USS directories are anchored can be found in PATHTAB table. This table has the following locations coded: /U.USERS, /U.USER, /u.users and /u.user. Site should modify the PATHTAB table based on the location of their USS User directories as well the case of the directories names if using mixed case TYPE(HFS) rules. (To determine if mixed case path names are being used, issue the SHOW CLASMAP command and look for an external CLASMAP record with resource CLASS = HFSSEC MIXED = YES).

Sample JCL to apply usermod UM80001

//JXBHFS2 JOB 9,'REC AND APP UM80001',MSGCLASS=X,CLASS=X
//*************************************************************
//* *
//* CA ACF2 (16.0) SECURITY FOR z/OS *
//* Copyright (C) 2015 CA, INC. All rights reserved. *
//* *
//*************************************************************
//*
//SMP EXEC PGM=GIMSMP,REGION=0K,PARM='DATE=U'
//*
//SMPCSI DD DSN=your.ACF2.R16.CSI,DISP=SHR
//SMPPTFIN DD DSN=your.ACF2.R16.CAX1JCL0(UM80001),DISP=SHR
//SMPHOLD DD DUMMY
//* UNIT=,VOL=,LABEL=
//*
//SMPCNTL DD *
SET BOUNDARY(GLOBAL) .
REJECT SELECT (UM80001) BYPASS(APPLYCHECK) .
RESETRC .
RECEIVE SELECT (UM80001) .
SET BOUNDARY(CAIT0) .
APPLY SELECT (UM80001) .
/*
//

Details can be found in ACF2 documentation section: 'Control Access to the Hierarchical File System (HFS)' sub-section 'Exit Processing'.