ACF2 SUPPORT IBM ENF SIGNALING PROCESS TYPE 71
search cancel

ACF2 SUPPORT IBM ENF SIGNALING PROCESS TYPE 71

book

Article ID: 29123

calendar_today

Updated On:

Products

ACF2 ACF2 - DB2 Option ACF2 for zVM ACF2 - z/OS ACF2 - MISC PanApt PanAudit

Issue/Introduction

SUPPORT IBM ENF SIGNALING PROCESS TYPE 71

                                                                     

 

Environment

Release: ACF2..001AO-16-ACF2
Component:

Resolution

CA ACF2 support of IBM ENF SIGNAL TYPE 71 which was added with apar RO61511. Details regarding this support follow.   


In z/OS 1.11, IBM added an ENF 71 signal for support of z/OS Identity propagation. In z/OS 2.1 (and rolling back to z/OS 1.13), IBM expanded the ENF 71 signaling capability in RACF to allow listeners, such as CICS and DB2, to take actions based on this signal.  The ENF 71 signal is issued to alert listeners to a possible change in a user's or group's authorizations to resources.                          

For CICS the RACFSYNC={YES|NO} system initialization parameter (SIT) controls whether CICS will listen for the type 71 ENF events.

In RACF, an ENF 71 signal is sent when any of the following RACF commands is issued on a z/OS 2.1 system (ENF 71 plist is version 2):      

- ALTUSER...REVOKE (added at z/OS 1.11 level for CICS ENF support)
- DELUSER          (added at z/OS 1.11 level for CICS ENF support)
- CONNECT          (added at z/OS 2.1/1.13 levels for DB2 ENF support)
- REMOVE           (added at z/OS 2.1/1.13 levels for DB2 ENF support)
- DELGROUP         (added at z/OS 2.1/1.13 levels for DB2 ENF support)         

In addition, RACF ENF 71 support includes the following:                       

- The Group ID is added to the ENF 71 signal issued when CONNECT, REMOVE and DELGROUP commands are issued.           - The CONNECT command enables a control flag to indicate whether it is a CONNECT REVOKE, for additional granularity.     

CA ACF2 will support ENF 71 signaling for some ENF-qualifying events.  CA ACF2 will ensure that listeners for ENF 71, such as CICS and  DB2, receive correct and expected information in the signal issued by CA ACF2 and are able to take proper actions based on the signal.            

In CA ACF2, an ENF 71 signal is automatically sent when any of the following commands is issued:                                                  

- CHANGE {LIKE(lid-mask) | lid } SUSPEND (RACF ALTUSER REVOKE command)
- CHANGE {LIKE(lid-mask) | lid } CANCEL  (RACF ALTUSER REVOKE command)
- DELETE {LIKE(lid-mask) | lid           (RACF DELUSER command)                

Listeners of IBM ENF 71 signal, such as CICS 5.1+ and DB2 V11, will receive an ENF 71 signal, when an ENF 71-qualifying event occurs in CA ACF2 on a z/OS 2.1+ system.  

Additional Information

For details see the CA ACF2 for z/OS Administration Guide r16, Chapter 3: Maintaining Logonid Records, sections 'CANCEL|NOCANCEL' and 'SUSPEND|NOSUSPEND' field descriptions regarding IBM ENF 71 signal.

Powered by Wolken Software