How to define an ACF2 SCOPE record to allow user access to several specific INFOSTG records and prevent access to all others
search cancel

How to define an ACF2 SCOPE record to allow user access to several specific INFOSTG records and prevent access to all others

book

Article ID: 26327

calendar_today

Updated On:

Products

ACF2 ACF2 - z/OS ACF2 - MISC

Issue/Introduction

ACF2 SCOPE INF records can be used to allow/limit a user's access to records in the ACF2 INFOSTG database. This article details how to define a SCOPE record to allow user access to several specific INFOSTG records and prevent access to all others.

Environment

Release:
Component: ACF2MS

Resolution

The INF parameter of the ACF2 SCOPE record is used to limit/allow access to records in the ACF2 INFOSTG database. If a record mask matching the record type is not found in this parameter, access will not be allowed to that record in the INFOSTG database.

The general format for most INF records is as follows.

INF(ctttk)
    | | |     
    | | k Record ID name ie. ACFM, PAYROLL, OPTS
    | | 
    |ttt Type code (ie. GSO, PLN, SGP, EXP, AUT, DSN, SAF, SCP, ZON, RGP).
    |
    c Storage class (C, D, E, F, I, P, R, S, T, X)

The following tables list the different types and descriptions for the 10 Storage Classes that can be specified in the SCOPE INF record along with samples.

A single value or a list of values can be specified using the ACF2 masking characters asterisk (*) and dash (-). If the dash (-) mask character is used anywhere except at the end of an INF parameter, it is taken as a literal character. To use masking in the middle of an INF parameter, the asterisk (*) character must be used. For example, INF(RSAFTEST.****.RESOURCE) can be used to mask a four-character second level resource

Storage class: C Control records 
Type  Description 
---   ------------------------------
LDS   LDAP Directory Services * See note
GSO   Global System Options * See note
CPF   Command Propagation * See note
CAC   Cache Records * See note
NET   Distributed Database Records * See note
SMS   Storage Management Class Records
TSO   TSO Full-Screen Logon Retention Records
CIC   ACF2/CICS Control Records  
 
Sample: INF(CLDS-, CGSO-, CCPF-, CCAC-, CNET-, CSMS-, CTSO-, CCIC-)

* Note: These control records include the SYSID in the INF parameter.

INF(ctttssssssssk)
    | |    |    |
    | |    |    k Record ID name ie. ACFM, PAYROLL, OPTS
    | |    |
    | | ssssssss Sysid name on which cross-reference records reside.
    | | 
    |ttt Type code (ie. GSO, PLN, SGP, EXP, AUT, DSN, SAF, SCP, ZON, RGP).
    |
    c Storage class (C, D, E, F, I, P, R, S, T, X)
Storage class: D DB2 records  
Type  Description     
---   ------------------------------
BPL   Buffer Pools
COL   Collections
DBS   Databases
FNC   Functions (DB2 Version 6.1 and above)
JAR   JAR files (DB2 Version 7.1 and above)
PKG   Packages
PLN   Application Plans
PRC   Stored Procedures (DB2 Version 6.1 and above)
SCH   Schemas (DB2 Version 6.1 and above)
SEQ   Sequences
STG   Storage Groups
SYS   System Privileges and Utilities
TBL   Tables (and views)
TSP   Table Spaces
TYP   Distinct Types (DB2 Version 6.1 and above)
 
Sample: INF(DBPL-, DSNA-)
Storage class: E Entry records 
Type  Description  
---   ---------------------------
SGP   Entry Source Group Records
SRC   Entry Source Records
Sample: INF(ESGP-, ESRC-, )
 
Storage class: F Field records 
Type  Description 
---   ------------------------------
REC   RECORD Definition Records
Sample: INF(FREC-)
 
Storage class: I Identity records 
Type  Description 
---   ------------------------------
AUT   Identity Records
Sample: INF(IAUT-)
 
Storage class: P Profile records
Type  Description          
---   ------------------------------ 
ALU   APPCLU Records
DSN   DATASET Records
DLF   DLFCLASS Records
GRP   GROUP Records
KEY   KEYSMSTR Records
PTK   PTKTDATA Records
SDB   SDB2 Records
SEC   SECLABEL Records
SMV   SYSMVIEW Records
USR   USER Records
 
Sample: INF(PUSROMVS-, PGRP-)

Profile records also contain a SYSID field that may be 4 or 8 bytes depending on your system.  If you scope a user that starts with K, a sample would look like:
Sample:  INF(PUSROMVS****K-)
 
Storage class: R Resource rule records 
Type  Description    
--- ------------------------------
xxx   Type Code for resource class
SAF   SAF Resource Class
Sample: INF(RSAF-,RFACIRR.DIG****.-)
 
Storage class: S Scope records 
Type  Description   
--- ------------------------------
SCP   Scope Records
Sample: INF(sscp-)
 
Storage class: T Shift records 
Type  Description    
--- ------------------------------   
SFT   Shift Records
ZON   Zone Records
Sample: INF(tsft-)
 
 
Storage class: X Cross-reference records 
Type  Description    
---   ------------------------------
SGP   XREF Source Group Records
RGP   XREF Group Group Records
ROL   XREF Role Group Records
Sample: INF(xsgp-, xrgp-, xrolssssssssPAYGRP) where ssssssss is the SYSID

Sample INSERT of a SCOPE record with the INF parameter.
 
 ACF
set scope(scp)
 SCOPE
insert scope1 dsn(payroll) lid(act-) uid(1h*pr-) INF(ESRC-,XSGP-,PUSROMVS-, RFACIRR.DIG****.-)

 

Additional Information

ACF2 loads scope records into storage at initialization time. Any changes made to these records once CA-ACF2 for z/OS is running (such as adding a new record, changing an existing record, or deleting a record) do not take effect until the records are rebuilt and the users address space is cycled. To rebuild scope records dynamically, issue the following operator command. After issuing the command have the user log off and log back on.

F ACF2,REBUILD(SCP),CLASS(S)

Powered by Wolken Software