Question:  

What are ACF2 equivalent security setup statements for the IBM resource class $OMCANDL?

Answer: 

The IBM RACF security setup commands for the IBM resource class $OMCANDL are as follows.

RDEF $OMCANDL RCMD UACC(NONE) OWNER(GSS) 

DATA('ROUTES MVS AND JES2 COMMANDS TO A DESIRED SYSTEM IN A SYSP- 

LEX') AUDIT(FAILURES(READ)) 

PE RCMD CLASS($OMCANDL) ID(@GZSJR) ACCESS(READ) 

PE RCMD CLASS($OMCANDL) ID(@GZSSR) ACCESS(READ) 

PE RCMD CLASS($OMCANDL) ID(@ZGZS01) ACCESS(READ) 

SETROPTS RACLIST ($OMCANDL) REFRESH

ACF2 Equivalent

Where a resource is not protected by default, RDEFINE is used in RACF to define 

resources. There is no counterpart to this in CA ACF2. CA ACF2 uses a default 

protection scheme, which assumes that the resource is protected. 

There is no internal CLASMAP record for the resource class $OMCANDL, so by default 

when no matching CLASMAP record is found during validation, CA ACF2 uses the first 

three characters of the resource class as the resource type, which would be $OM in 

this case. The three-character resource type code can let you write specific resource 

rules to validate security calls for a specified class. 

To use a different resource type code for a resource class other than $OM, you can 

insert a CLASMAP record specifically for resource class $OMCANDL. For example, to 

change the type code for resource class $OMCANDL from $OM to OMC, insert the following 

CLASMAP record: 

SET CONTROL(GSO) 

INSERT CLASMAP.omc RESOURCE($OMCANDL) RSRCTYPE(OMC) 

F ACF2,REFRESH(CLASMAP)

* Note than any three character TYPE code can be used to fit a site's requirements. 

If a GSO CLASMAP record is created as described above equivalent ACF2 resource 

rules can be written for TYPE(OMC) as shown in the following example. 

SET RESOURCE(OMC) 

RECKEY RCMD ADD( UID(UID string for @USER1) - 

SERVICE(READ) ALLOW) 

RECKEY RCMD ADD( UID(UID string for @USER2) - 

SERVICE(READ) ALLOW) 

RECKEY RCMD ADD( UID(UID string for @ZUSER3) - 

SERVICE(READ) ALLOW) 

F ACF2,REBUILD(OMC) 

-