ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

ACF2 SDSF security migration, how SDSF determines Group membership as well as the ACF2 equivalents to the TSOAUTH authorities

book

Article ID: 241304

calendar_today

Updated On:

Products

ACF2 - z/OS

Issue/Introduction

Configuring ACF2 for SDSF external security. How can a site determine SDSF Group membership as well as the ACF2 equivalents to the TSOAUTH authorities?

How can a site know where or how SDSF assigns a group name GPRNAME=ISFSPROG to a particular id(logonid)?

 

 

Environment

Release : 16.0

Component : ACF2 for z/OS

Resolution

How SDSF determines Group membership as well as the ACF2 equivalents to the TSOAUTH authorities.

SDSF determines who belongs to a group on the basis of procedure name, terminal name, user ID, and TSO authority. 

SDSF Groups can be defined in two ways:
ISFPARMS uses the GROUP statement.
Assembler macros use the ISFGRP macro.

When a user logs on to TSO their SDSF group assigned is based on the ISFPARM Group definitions that match their ACF2 LOGONID Fields.

SDSF Group membership parameters and ACF2 corresponding LOGONID Fields. 

ISFPARM Group       ACF2 LOGONID Field      Description
ITNAME (NTBL-name)  ACC-SRCE(source) ***    Includes users by terminal name. *
ILPROC (NTBL-name) TSOPROC(procname) ***   Includes users by logon procedure. *
IUID (NTBL-name)    LOGONID                 Includes users by user ID. *
TSOAUTH (JCL)       JCL                     TSO authority JCL **
TSOAUTH (MOUNT)     MOUNT                   TSO authority MOUNT **
TSOAUTH (OPER)      OPERATOR                TSO authority OPER **
TSOAUTH (ACCT)      ACCTPRIV                TSO authority ACCT **

Notes
*   The ILPROC, ITNAME, and IUID parameters include members. If you use more than one of
     these to define a group, a user must meet the requirements of all of them in order to qualify for
     inclusion in the group.
**  The TSO authorities work together in a logical “AND” process.
*** The source and procname may be changed at TSO system entry based on ACF2 security configuration.