ACF2 SDSF security migration, how SDSF determines Group membership as well as the ACF2 equivalents to the TSOAUTH authorities
Article ID: 241304
Updated On:
Products
Issue/Introduction
Configuring ACF2 for SDSF external security. How can a site determine SDSF Group membership as well as the ACF2 equivalents to the TSOAUTH authorities?
How can a site know where or how SDSF assigns a group name GPRNAME=ISFSPROG to a particular id(logonid)?
Environment
Release : 16.0
Component : ACF2 for z/OS
Resolution
How SDSF determines Group membership as well as the ACF2 equivalents to the TSOAUTH authorities.
SDSF determines who belongs to a group on the basis of procedure name, terminal name, user ID, and TSO authority.
SDSF Groups can be defined in two ways:
ISFPARMS uses the GROUP statement.
Assembler macros use the ISFGRP macro.
When a user logs on to TSO their SDSF group assigned is based on the ISFPARM Group definitions that match their ACF2 LOGONID Fields.
SDSF Group membership parameters and ACF2 corresponding LOGONID Fields.
ISFPARM Group ACF2 LOGONID Field Description
ITNAME (NTBL-name) ACC-SRCE(source) *** Includes users by terminal name. *
ILPROC (NTBL-name) TSOPROC(procname) *** Includes users by logon procedure. *
IUID (NTBL-name) LOGONID Includes users by user ID. *
TSOAUTH (JCL) JCL TSO authority JCL **
TSOAUTH (MOUNT) MOUNT TSO authority MOUNT **
TSOAUTH (OPER) OPERATOR TSO authority OPER **
TSOAUTH (ACCT) ACCTPRIV TSO authority ACCT **
Notes
* The ILPROC, ITNAME, and IUID parameters include members. If you use more than one of
these to define a group, a user must meet the requirements of all of them in order to qualify for
inclusion in the group.
** The TSO authorities work together in a logical “AND” process.
*** The source and procname may be changed at TSO system entry based on ACF2 security configuration.
Feedback
