How to restrict access to specific ISPF Panels using ACF2 rules
Article ID: 237253
Updated On:
Products
Issue/Introduction
Is it possible to use ACF2 rules to restrict access to ISPF panels?
For Example:
COMMON.ISPPLIB contains various panels that provide access to XXX or YYY applications.
How to restrict access to these specific panels while allowing normal access to the other panels in the library.
Environment
Release : 16.0
Component : ACF2 for z/OS
Resolution
The easiest way to protect ispf panels is to use PDS member level protection.
1) create a C(GSO) PDS.suffix record
ACF
SET CONTROL(GSO)
INSERT PDS.panels LIBRARY(COMMON.ISPPLIB) RSRCTYPE(PD1)
END
2) Create resource rules for type(PD1)
ACF
T R(PD1)
RECKEY ******** ADD( UID(*) ALLOW) << initial rule to allow everyone access to every panel.>>
RECKEY panelid1 ADD( UID(*) PREVENT ) << prevent everyone to panelid1 >>
RECKEY panelid1 ADD( UID(alloweduser1) ALLOW) << except for these allowed users >>
RCKEY panelid1 ADD( UID(alloweduser2) ALLOW)
RECKEY panelid2 ADD( UID(*) PREVENT) << do the same for panelid2 >>
RECKEY panelid2 ADD( UID(alloweduser1) ALLOW)
RECKEY panelid2 ADD( UID(alloweduser2) ALLOW)
END
3) add resource type(PD1) to resident resource rules GSO record
ACF
SET CONTROL(GSO)
CHANGE INFODIR TYPES(R-RPD1) << make the rules resident due to key masking >>
END
4) refresh and rebuild resident resource directory
ACF
F ACF2,REFRESH(INFODIR) << activate member level protection >>
F ACF2,REBUILD(PD1)
F ACF2,REFRESH(PDS)
END
You are now protecting panels panelid1 and panelid2 from COMMON.ISPPLIB
Additional Information
Details of member level protection can be found in techdocs at this link.
https://techdocs.broadcom.com/us/en/ca-mainframe-software/security/ca-acf2-for-z-os/16-0/administrating/administer-records/global-system-option-records-gso/pds-member-level-protection-list-pds.html
Feedback
