Is there an ACF2 equivalent to the RACF security setup for RMF?
search cancel

Is there an ACF2 equivalent to the RACF security setup for RMF?

book

Article ID: 44511

calendar_today

Updated On:

Products

ACF2 ACF2 - DB2 Option ACF2 for zVM ACF2 - z/OS ACF2 - MISC PanApt PanAudit

Issue/Introduction

Is there an ACF2 equivalent to the RACF security setup for RMF?

 

Environment

Release:
Component: ACF2MS

Resolution

The following are the RACF RMF security setup statements followed by the ACF2 equivalent

statements as appropriate.

 

* RACF

 

Rdefine started RMF.* stdata(user(RMF) trusted(yes) 

Rdefine started RMFGAT.* stdata(user(RMFGAT) trusted(yes) 

Rdefine started GPMSERVE.* stdata(user(GPMSERVE) trusted(yes) 

Rdefine started GPM4CIM.* stdata(user(GPMSERVE) trusted(yes) 

Setropts raclist(started) refresh 

 

* ACF2

 

SET CONTROL(GSO)                                   

INSERT STC.rmf STCID(RMF-) LOGONID(RMF)            

INSERT STC.rmfgat STCID(RMFGAT-) LOGONID(RMFGAT)      

INSERT STC.gpmserve STCID(GPMSERVE) LOGONID(GPMSERVE)   

INSERT STC.gpm4cim STCID(GPM4CIM) LOGONID(GPMSERVE)    

F ACF2,REFRESH(STC)                                                  

 

* RACF

 

Permit BPX.DAEMON class(facility) id(GPMSERVE) access(read) 

Permit BPX.SERVER class(facility) id(GPMSERVE) access(read) 

Permit BPX.STOR.SWAP class(facility) id(GPMSERVE) access(read) 

 

* ACF2

 

SET RESOURCE(FAC)                                      

RECKEY BPX ADD(DAEMON UID(UID string for GPMSERVE) SERVICE(READ) ALLOW)                                   

RECKEY BPX ADD(SERVER UID(UID string for GPMSERVE) SERVICE(READ) ALLOW) 

RECKEY BPX ADD(STOR.SWAP UID(UID string for GPMSERVE) SERVICE(READ) ALLOW) 

 

* RACF

 

Rdefine program GPM* addmem(‘sys1.serblink’//nopadchk) UACC(read) 

Rdefine program ERB* addmem(‘sys1.serblink’//nopadchk) UACC(read) 

Rdefine program CEEBINIT addmem(‘CEE.SCEERUN’//nopadchk) UACC(read) 

Rdefine program IEEMB878 addmem(‘sys1.linklib’//nopadchk) UACC(read) 

Rdefine program CELHV003 addmem(‘sys1.SCREERUN2’//nopadchk) UACC(read) 

Rdefine program C128 addmem(‘sys1. SCREERUN2’//nopadchk) UACC(read) 

Rdefine program CELHDCPP addmem(‘sys1. SCREERUN2’//nopadchk) UACC(read) 

 

* ACF2

 

There is no exact ACF2 equivalent for NOPADCHK which in RACFland means 

that any program-restricted dataset access should not have to list any

of the programs from these libraries. The similar function in ACF2 is 

program pathing which uses PROGRAM and LIB in access rules.        

                                                                   

For ACF2 to address the above steps relating to PADS checking, just 

ensure that authorized users have READ access (via access rules) to the 

libraries.

 

* RACF

 

Setropts when(program) refresh 

Setropts raclist(facility) refresh 

 

* ACF2

 

ACF

F ACF2,REBUILD(FAC)

 

* RACF

 

Rdefine APPL GPMSERVE UACC(READ) 

Redefine APPL GPM4CIM UACC(READ)

 

* ACF2

 

Where a resource is not protected by default, RDEFINE is used in RACF to 

define resources. There is no counterpart to this in CA ACF2. CA ACF2 uses 

 

a default protection scheme, which assumes that the resource is protected.

Powered by Wolken Software