SDSF ISFPARMS to ACF2 Security Migration for z/OS 2.5
Article ID: 233042
Updated On:
Products
Issue/Introduction
z/OS 2.5 requires SDSF security to be converted into external security. What are the steps to convert SDSF ISFPARMS to ACF2 security?
Environment
Release : 16.0
Component : ACF2 for z/OS
Resolution
There is no ACF2 migration utility available that converts ISFPARMS to ACF2 security directly.
There are two steps to convert SDSF ISPARMS to ACF2 security.
1. Convert ISFPRMxx into RACF commands using IBM provided REXX utility
2. Convert RACF commands into ACF2
After identifying which ISFPRMxx member SDSF is using, determine how security is set up by assessing how users/logonids are grouped and what they are authorized to do in SDSF according to this IBM documentation.
Taking an example of two SDSF groups ISFDBA and ISOPER from ISFPRMxx as shown below and converting these groups to ACF2 security using ROLE and UID based sample rules.
/* Commands for GROUP profiles */
ADDGROUP ISFDBA OWNER(ISF) SUP(ISF)
ADDGROUP ISFOPER OWNER(ISF) SUP(ISF)
There are two ways to convert SDSF groups into ACF2 security rules as explained below:
a. ROLE based: This is recommended and comparatively easier implementation method.
ISFPARMS associate logonids with a specific group like ISFDBA and ISFOPER as an example via following ISPRMxx parameters:
|
ISFPRMxx parameter |
Description |
|
Name(Group-Name) |
Group name used in SAF resource |
|
ILPROC(NTBL-Name) |
Includes users by logon procedure |
|
ITNAME(NTBL-Name) |
Includes users by terminal name |
|
IUID(NTBL-Name) |
Includes users by user ID |
|
TSOAUTH(attributes) |
Includes users by TSO authority |
First step is to create a role record X(ROL) and add all the logonids associated with ISFDBA and ISFOPER group to a new role record name.
Here are sample commands to create ISFDBA and ISFOPER role records and adding logonids according to NTBL names and attributes:
SET X(ROL)
INSERT ISFOPER include(logonid1,logonid2...logonid3) ROLE
INSERT ISFDBA include(logonid4,logonid5...logonid6) ROLE
F ACF2,NEWXREF,TYPE(ROL)
Next step is to write ACF2 rules for these ROLES, a sample RACF rule example converted to ACF2 ROLE based rule is shown below for ISFCMD.DSP.ACTIVE.JES2 resource:
/* Commands for SDSF profiles */
PERMIT ISFCMD.DSP.ACTIVE.JES2 CLASS(SDSF) ID(ISFDBA) ACCESS(READ)
PERMIT ISFCMD.DSP.ACTIVE.JES2 CLASS(SDSF) ID(ISFOPER) ACCESS(READ)
ACF
SET RESOURCE(SDF)
RECKEY ISFCMD ADD(DSP.ACTIVE.JES2 ROLE(ISFDBA) SERVICE(READ) ALLOW)
RECKEY ISFCMD ADD(DSP.ACTIVE.JES2 ROLE(ISFOPER) SERVICE(READ) ALLOW)
b. UID based: This can be a slightly complicated implementation as the correlation between ISFPRMxx groups and UID string needs to be figured out.
Taking an example of same two groups ISFDBA and ISFOPER as shown above, to convert it into UID based rule, UID string definition needs to be looked at first.
The UID string has the following fields defined as an example:
|
Field Name |
Field Length |
|
COMPANY |
3 |
|
STATE |
2 |
|
DEPT |
5 |
|
FUNCTION CODE |
3 |
|
logonid |
8 |
If there is a logonid field that is part of the UID string such as FUNCTION CODE(as shown above) where FUNCTION CODE of DBA correlates to the ISFPARMS group ISFDBA and FUNCTION CODE of OPR correlates to the ISFPARMS group ISFOPER:
DBA => ISFDBA
OPR => ISFOPER
Next, UID string based rules can be written for ISFCMD.DSP.ACTIVE.JES2 resource as shown below:
ACF
SET RESOURCE(SDF)
RECKEY ISFCMD ADD(DSP.ACTIVE.JES2 UID(**********DBA********) SERVICE(READ) ALLOW)
RECKEY ISFCMD ADD(DSP.ACTIVE.JES2 UID(**********OPR********) SERVICE(READ) ALLOW)
Additional Information
Further information related to SDSF 2.5 can be found in knowledge document 28218
Feedback
