How is the CA SAF HFS security for the USS Hierarchical File System activated?

A site has two options to secure the Hierarchical File System (HFS):

1. The internal to z/OS UNIX System Services which is based on a UNIX model of security through the use of UID, GID and permission bits.
   
   
2. With the SAF HFS security the standard ACF2 for z/OS security resource rules are used to secure the HFS. Native UNIX file permission bit security is bypassed, as well as the superuser authority to access any file.

SAF HFS security can be activated automatically during ACF2 initialization or dynamically just for the current duration of the IPL.

The GSO UNIXOPTS HFSSEC|NOHFSSEC controls the start of SAF HFS security during ACF2 initialization by default. When the GSO UNIXOPTS is set to HFSSEC, SAF HFS security will be active. The TSO, ACF command "SHOW UNIXOPTS" will display "HFS SECURITY ACTIVE: YES".

To dynamically activate SAF HFS security there are two methods.

Both of these methods will activate the SAF HFS security only for the duration of the current IPL:

1. Issue the modify ACF2 operator command: F ACF2,HFS(ENABLE)
   
   The syntax of the operator command is F ACF2,HFS(STATUS|ENABLE|DISABLE)
   
   The command may be used to enable, disable and check the status of SAF HFS Security. 
   
   
2. Run the batch SAFHFMOD utility which allows authorized users to display the status of and to enable or disable SAF HFS security.
   
   Sample JCL follows:
   
   //jobname JOB CLASS=a
   //stepname EXEC PGM=SAFHFMOD,PARM=function
   
   Where function can be ENABLE, DISABLE or STATUS to enable, disable and check the status of SAF HFS Security.

Details on activating CA SAF HFS Security can be found in the Techdoc Implement SAF HFS Security