ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

How to restrict access to specific ISPF Panels using ACF2 rules

book

Article ID: 237253

calendar_today

Updated On:

Products

ACF2 - z/OS

Issue/Introduction

Is it possible to use ACF2 rules to restrict access to ISPF panels?

For Example:

COMMON.ISPPLIB contains various panels that provide access to HSI or PII applications.
How to restrict access to these specific panels while allowing normal access to the other panels in the library.

 

Environment

Release : 16.0

Component : ACF2 for z/OS

Resolution

The easiest way to protect ispf panels  is to use PDS member level protection.

1) create a C(GSO) PDS.suffix record
     ACF
    SET CONTROL(GSO) 
    INSERT PDS.panels  LIBRARY(COMMON.ISPPLIB) RSRCTYPE(PD1)
     END

 2)   Create resource rules for type(PD1)
       ACF
       T R(PD1)
        RECKEY  ********  ADD( UID(*)  ALLOW)                                 <<  initial rule to allow everyone access to every panel.>>
        RECKEY panelid1 ADD( UID(*) PREVENT )                            << prevent everyone to panelid1 >>
        RECKEY panelid1 ADD( UID(alloweduser1) ALLOW)              << except for these allowed users >>
        RCKEY panelid1 ADD( UID(alloweduser2) ALLOW)
        RECKEY panelid2 ADD( UID(*) PREVENT)                             << do the same for panelid2 >>
        RECKEY panelid2 ADD( UID(alloweduser1) ALLOW)
        RECKEY panelid2 ADD( UID(alloweduser2) ALLOW)
        END

3)    add resource type(PD1) to resident resource rules GSO record
       ACF
       SET CONTROL(GSO)
       CHANGE INFODIR  TYPES(R-RPD1)                                              << make the rules resident due to key masking >>
       END

4)    refresh and rebuild resident resource directory
        ACF
        F ACF2,REFRESH(INFODIR)                                                        << activate member level protection >>
         F ACF2,REBUILD(PD1)
        F ACF2,REFRESH(PDS)
        END

You are now protecting  panels panelid1 and panelid2  from COMMON.ISPPLIB

Additional Information

Details of member level protection can be found in techdocs at this link.

https://techdocs.broadcom.com/us/en/ca-mainframe-software/security/ca-acf2-for-z-os/16-0/administrating/administer-records/global-system-option-records-gso/pds-member-level-protection-list-pds.html