Question:
What are ACF2 equivalent security setup statements for the IBM resource class $OMCANDL?
Answer:
The IBM RACF security setup commands for the IBM resource class $OMCANDL are as follows.
RDEF $OMCANDL RCMD UACC(NONE) OWNER(GSS)
DATA('ROUTES MVS AND JES2 COMMANDS TO A DESIRED SYSTEM IN A SYSP-
LEX') AUDIT(FAILURES(READ))
PE RCMD CLASS($OMCANDL) ID(@GZSJR) ACCESS(READ)
PE RCMD CLASS($OMCANDL) ID(@GZSSR) ACCESS(READ)
PE RCMD CLASS($OMCANDL) ID(@ZGZS01) ACCESS(READ)
SETROPTS RACLIST ($OMCANDL) REFRESH
ACF2 Equivalent
Where a resource is not protected by default, RDEFINE is used in RACF to define
resources. There is no counterpart to this in CA ACF2. CA ACF2 uses a default
protection scheme, which assumes that the resource is protected.
There is no internal CLASMAP record for the resource class $OMCANDL, so by default
when no matching CLASMAP record is found during validation, CA ACF2 uses the first
three characters of the resource class as the resource type, which would be $OM in
this case. The three-character resource type code can let you write specific resource
rules to validate security calls for a specified class.
To use a different resource type code for a resource class other than $OM, you can
insert a CLASMAP record specifically for resource class $OMCANDL. For example, to
change the type code for resource class $OMCANDL from $OM to OMC, insert the following
CLASMAP record:
SET CONTROL(GSO)
INSERT CLASMAP.omc RESOURCE($OMCANDL) RSRCTYPE(OMC)
F ACF2,REFRESH(CLASMAP)
* Note than any three character TYPE code can be used to fit a site's requirements.
If a GSO CLASMAP record is created as described above equivalent ACF2 resource
rules can be written for TYPE(OMC) as shown in the following example.
SET RESOURCE(OMC)
RECKEY RCMD ADD( UID(UID string for @USER1) -
SERVICE(READ) ALLOW)
RECKEY RCMD ADD( UID(UID string for @USER2) -
SERVICE(READ) ALLOW)
RECKEY RCMD ADD( UID(UID string for @ZUSER3) -
SERVICE(READ) ALLOW)
F ACF2,REBUILD(OMC)
-