After upgrading to z/OS 2.5 and implementing external security with ACF2, users are getting ISF024I USER USER001 NOT AUTHORIZED TO SDSF, NO GROUP ASSIGNMENT when entering SDSF.
ACF2 Release : 16.0
z/OS Release : 2.5
A user must be assigned to a group in order to use SDSF. Users can display the name of the group to which they belong with the WHO command. A resource check for CLASS(SDSF) resource GROUP.group-name.server-name is made for each GROUP defined in SYS1.PARMLIB ISFPRMxx, syntax GROUP NAME(ISFSPROG).
When a user tries to access SDSF but is not assigned to any group, SDSF issues message ISF024I.
ISF024I USER USER001 NOT AUTHORIZED TO SDSF, NO GROUP ASSIGNMENT
For example if SYS1.PARMLIB ISFPRMxx defines the three groups:
GROUP NAME(ISFSPROG)
GROUP NAME(ISFOPER)
GROUP NAME(ISFUSER)
The ACFRPTRV report shows resource validations are done for the three defined groups ISFSPROG, ISFOPER and ISFUSER in ISFPRMxx and logonid USER001 does not have access(*VIO) to any of the groups:
RSDF-GROUP.ISFSPROG.SDSF *VIO RSDF-********
0219 USER001 VTAMXXX SYSX ACF9CFAT NO-RULE - DIRECTRY READ
22.362 12/28 09.51 USER001 USER001 USERNAME 0 0 20 0 16
SAF RESOURCE CLASS SDSF
RESOURCE NAME: GROUP.ISFSPROG.SDSF
RSDF-GROUP.ISFOPER.SDSF *VIO RSDF-********
0219 USER001 VTAMXXX SYSX ACF9CFAT NO-RULE - DIRECTRY READ
22.362 12/28 09.51 USER001 USER001 USERNAME 0 0 20 0 16
SAF RESOURCE CLASS SDSF
RESOURCE NAME: GROUP.ISFOPER.SDSF
RSDF-GROUP.ISFUSER.SDSF *VIO RSDF-********
0219 USER001 VTAMXXX SYSX ACF9CFAT NO-RULE - DIRECTRY READ
22.362 12/28 09.51 USER001 USER001 USERNAME 0 0 20 0 16
SAF RESOURCE CLASS SDSF
RESOURCE NAME: GROUP.ISFUSER.SDSF
USER001 enters 'SDSF' and gets ISF024I message:
ISF024I USER USER001 NOT AUTHORIZED TO SDSF, NO GROUP ASSIGNMENT
Access is given to USER001 by adding the following rule.
ACF
SET RESOURCE(SDF)
RECKEY GROUP ADD(ISFUSER.SDSF USER(USER001) ALLOW)
$KEY(GROUP) TYPE(SDF) ROLESET
ISFUSER.SDSF USER(USER001) ALLOW
Now USER001 enters 'SDSF' and issues the 'WHO' command:
SDSF MENU V2R5M0 MINIPLEX SYSX LINE 1-40 (73)
COMMAND INPUT ===> SCROLL ===> PAGE
USERID=USER001,PROC=PROC333,TERMINAL=VTAMXXX,GRPINDEX=3,GRPNAME=ISFUSER,
SECLABEL=,MVS=z/OS 02.05.00,JES=z/OS 2.5,SDSF=HQX77D0,ISPF=N/A,
RMF/DA=HSF/NORMF,SERVER=YES,SERVERNAME=SDSF,JESNAME=JES2,MEMBER=SYSX,
JESTYPE=JES2,SYSNAME=SYSX,SYSPLEX=MINIPLEX,COMM=NOTAVAIL,COMMX=ENABLED,
JOBID=TSU03333,XCFGROUP=MVSSYSX,SESSID=5,NUMSESS=1
Now the ACFRPTRV report shows violations for the first two groups ISFSPROG, ISFOPER and access allowed to group ISFUSER:
RSDF-GROUP.ISFSPROG.SDSF *VIO RSDF-********
0219 USER001 VTAMXXX SYSX ACF9CFAT NO-RULE - DIRECTRY READ
22.362 12/28 10.07 USER001 USER001 USERNAME 0 0 20 0 16
SAF RESOURCE CLASS SDSF
RESOURCE NAME: GROUP.ISFSPROG.SDSF
RSDF-GROUP.ISFOPER.SDSF *VIO RSDF-********
0219 USER001 VTAMXXX SYSX ACF9CFAT NO-RULE - DIRECTRY READ
22.362 12/28 10.07 USER001 USER001 USERNAME 0 0 20 0 16
SAF RESOURCE CLASS SDSF
RESOURCE NAME: GROUP.ISFOPER.SDSF
RSDF-GROUP.ISFUSER.SDSF TRC RSDF-GROUP
0219 USER001 VTAMXXX SYSX ACF9CFAT RULE - DIRECTRY READ
22.362 12/28 10.07 USER001 USER001 USERNAME 0 0 0 0 0
SAF RESOURCE CLASS SDSF
RESOURCE NAME: GROUP.ISFUSER.SDSF
So even with z/OS 2.5 SDSF external security users need to be allowed access to at least on of the groups defined in SYS1.PARMLIB ISFPRMxx member, however SDSF access will be determined by rules and not the SDSF groups with internal SDSF security.