How do I define the Examine resource CLASS=CAEXAMIN to my external security manager ACF2?  What would a sample rule look like?

Component: EXAMIN

Examine makes SAF calls with a resource CLASS=CAEXAMIN, and one of the following entity names:

ENTITY=EXAMMON.BPXEKDA For z/OS cross-memory services to communicate with the EXAMMON address space.
ENTITY=TRAPAUTH.TEST   For test traps generated through the use of DEBUG flag 16.
ENTITY=TRAPAUTH.BATCH  For other traps issued in batch jobs.
ENTITY=TRAPAUTH.TSO    For other traps issued from a TSO session.

There is no need to define the RESOURCE CLASS=CAEXAMIN to ACF2, however a CLASMAP record can be used to map the resource class to a unique TYPE code. The following example maps the RESOURCE CAEXAMIN to RSRCTYPE(EXA), a site can choose any three character TYPE code to uniquely associate the resource class to  Examine.

SET CONTROL(GSO)                                                              
INSERT CLASMAP.caexamin RESOURCE(CAEXAMIN) RSRCTYPE(EXA) POSIT() 

Sample ACF2 rule:

$KEY(TRAPAUTH)  TYPE(EXA)   
BATCH  UID(user2 UID string)  SERVICE(READ) ALLOW 
TEST  UID(user2 UID string)  SERVICE(READ) ALLOW 
TSO  UID(user2 UID string)  SERVICE(READ) ALLOW 

See the ACF2 Security for z/OS Administrator Guide for additional details on inserting a GSO CLASMAP record and writing resource rules.