Our site has a requirement that the JES2 VS command ($VS) issued under SDSF be protected using ACF2 resource rules and all other commands revert back to protection by SDSF ISFPARMS (outside of ACF2). How can this be done?

The JES2 VS command ($VS) is used to enter an MVS system command in a job stream, through an automatic JES2 command, or within the JES2 initialization data set.

There is an ACF2 internal SAFDEF that ignores the RACROUTE CLASS=OPERCMDS resource validations. An ACF2 GSO SAFDEF can be inserted to perform validation of just the OPERCMDS resource validations for the JES2 VS command.

An ACF2 GSO SAFDEF can be INSERTed with an ENTITY specific to the $VS command to only validate the RACROUTE CLASS=OPERCMDS validation for the $VS command, while RACROUTE CLASS=OPERCMDS resource validation for other commands are ignored by ACF2(external security) and a return code indicating "No security decision could be made" will be passed back to the caller. SDSF ISFPARMS will be used to determine authorization when SAF (external security) returns an indeterminate result, that is, when SAF returns a return code of 4.

The following is a sample rule, GSO SAFDEF and the console command to activate the changes.

Sample rule to allow USER001 to issue the JES2 VS commands.

  $KEY(JES2) T(SAF) 
  VS.- UID(*) ALLOW 

Sample GSO SAFDEF record specifically for the JES2 VS command, and the console command to activate the changes.

  ACF 
  SET C(GSO) 
  INSERT SAFDEF.oper ID(OPERCMD) MODE(GLOBAL)  - 
  RACROUTE(REQUEST=AUTH,CLASS=OPERCMDS,ENTITYX=JES2.VS) 
  F ACF2,REFRESH SAFDEF 

For details on JES2 OPERCMDS validations see the ACF2 Administrator Guide, Chapter 20: JES Security Overview, section "Security Classes", sub-section "OPERCMDS".

For details regarding SDSF ISFPARMS external security (SAF) see the IBM z/OS V1R9.0 SDSF Operation and Customization manual, section "Using SAF for security".