Does CA ACF2 support IBM ENF SIGNAL TYPE 71?
In z/OS 1.11, IBM added an ENF 71 signal for support of z/OS Identity
propagation. In z/OS 2.1 (and rolling back to z/OS 1.13), IBM
expanded the ENF 71 signaling capability in RACF to allow listeners,
such as CICS and DB2, to take actions based on this signal.
The ENF 71 signal is issued to alert listeners to a possible change in
a user's or group's authorizations to resources.
In RACF, an ENF 71 signal is sent when any of the following RACF
commands is issued on a z/OS 2.1 system (ENF 71 plist is version 2):
- ALTUSER...REVOKE (added at z/OS 1.11 level for CICS ENF support)
- DELUSER (added at z/OS 1.11 level for CICS ENF support)
- CONNECT (added at z/OS 2.1/1.13 levels for DB2 ENF support)
- REMOVE (added at z/OS 2.1/1.13 levels for DB2 ENF support)
- DELGROUP (added at z/OS 2.1/1.13 levels for DB2 ENF support)
In addition, RACF ENF 71 support includes the following:
- The Group ID is added to the ENF 71 signal issued when
CONNECT, REMOVE and DELGROUP commands are issued.
- The CONNECT command enables a control flag to indicate whether
it is a CONNECT REVOKE, for additional granularity.
CA ACF2 Added support in release 15.0 with ptf RO61511, which carries
through to subsequent releases without maintenance.
CA ACF2 will support ENF 71 signaling for some ENF-qualifying events.
CA ACF2 will ensure that listeners for ENF 71, such as CICS and
DB2, receive correct and expected information in the signal issued
by CA ACF2 and are able to take proper actions based on the signal.
In CA ACF2, an ENF 71 signal is automatically sent when any of the following commands is issued:
- CHANGE {LIKE(lid-mask) | lid } SUSPEND (RACF ALTUSER REVOKE command)
- CHANGE {LIKE(lid-mask) | lid } CANCEL (RACF ALTUSER REVOKE command)
- DELETE {LIKE(lid-mask) | lid (RACF DELUSER command)