ACF2 Support for ENF 71 Signals and RACFSYNC
search cancel

ACF2 Support for ENF 71 Signals and RACFSYNC

book

Article ID: 29123

calendar_today

Updated On:

Products

ACF2 ACF2 - MISC ACF2 - z/OS ACF2 - DB2 Option

Issue/Introduction

IBM CICS provides the RACFSYNC parameter which determines whether or not CICS listens for type 71 ENF events. Does ACF2 emit ENF 71 signals and if so, what events trigger it?

                                                                     

 

Resolution

ACF2 support of IBM ENF SIGNAL TYPE 71 was added with PTF RO61511.

In z/OS 1.11, IBM added an ENF 71 signal for support of z/OS Identity propagation. In z/OS 2.1 (and rolling back to z/OS 1.13), IBM expanded the ENF 71 signaling capability in RACF to allow listeners, such as CICS and Db2, to take actions based on this signal.  The ENF 71 signal is issued to alert listeners to a possible change in a user's or group's authorizations to resources.

For CICS the RACFSYNC={YES|NO} system initialization parameter (SIT) controls whether CICS will listen for the type 71 ENF events.  

ACF2 supports ENF 71 signaling for some ENF-qualifying events.  ACF2 ensures that listeners for ENF 71, such as CICS and Db2, receive correct and expected information in the signal issued by ACF2 and are able to take proper actions based on the signal.            

In ACF2, an ENF 71 signal is automatically sent when any of the following commands is issued:                                                  

  • CHANGE {LIKE(lid-mask) | lid } SUSPEND 
  • CHANGE {LIKE(lid-mask) | lid } CANCEL  
  • DELETE {LIKE(lid-mask) | lid         

ACF2 will also produce an ENF 71 signal for a logical suspend for password violations with PTF SO14547 applied.       

Listeners of IBM ENF 71 signal, such as CICS 5.1+ and Db2 V11+, will receive an ENF 71 signal when an ENF 71-qualifying event occurs in ACF2 on a z/OS 2.1+ system.  

Additional Information

In RACF, an ENF 71 signal is sent when any of the following RACF commands is issued on a z/OS 2.1 system (ENF 71 plist is version 2):      

  • ALTUSER...REVOKE (added at z/OS 1.11 level for CICS ENF support)
  • DELUSER          (added at z/OS 1.11 level for CICS ENF support)
  • CONNECT          (added at z/OS 2.1/1.13 levels for Db2 ENF support)
  • REMOVE           (added at z/OS 2.1/1.13 levels for Db2 ENF support)
  • DELGROUP         (added at z/OS 2.1/1.13 levels for Db2 ENF support)         

In addition, RACF ENF 71 support includes the following:                       

  • The Group ID is added to the ENF 71 signal issued when CONNECT, REMOVE and DELGROUP commands are issued.       
  • The CONNECT command enables a control flag to indicate whether it is a CONNECT REVOKE, for additional granularity.  
Powered by Wolken Software