How To Use SAF To Control SDSF Group Membership With Top-Secret
Article ID: 53383
Updated On:
Products
Top Secret
Issue/Introduction
Description:
IBM's RACF SDSF commands documentation converted to Top Secret
*
Environment
Release:
Component: AWAGNT
Component: AWAGNT
Resolution
**** start of IBM doc *****
You can also use SAF to control membership in groups defined with ISFPARMS.
To do this:
- Assign a name to each group, as follows:
~ With an ISFGRP macro, using the macro label. The label must start in column 1 and be 1-8 characters. It must conform to standard assembler language programming conventions and be unique within ISFPARMS.
~ With a GROUP statement, using the NAME parameter. - Define SAF profiles GROUP .group-name.server-name, in the SDSF class, and permit users to them as appropriate.
***** end of IBM doc *****
Solution:
The details of memberships can be summarized as follows:
| Function | Resource Name | Class | Access |
| Membership in Group | GROUP.group-name.server-name | SDSF | READ |
Note:
If the SDSF client is not connected to the SDSF server, the server-name is blank.
Then, as shown in this table, it is translated to RACF as follows:
Resolution:
To authorize membership in a group in ISFPARMS, issue the following commands:
RDEFINE SDSF GROUP.group-name.server-name UACC(NONE) PERMIT GROUP.group-name.server-name CLASS(SDSF) ID(userid or groupid) ACCESS(READ)
Converted to a CA Top Secret TSS command:
TSS ADD(owningacid) SDSF(GROUP.)
TSS PER(aciduser or acidprofile) SDSF(GROUP.group-name.server-name) -
ACCESS(READ)
Please refer to:
- Appendix C. SDSF resource names for SAF security in IBM SDSF Operation and Customization Guide.
- SDSF is a pre-defined CA Top Secret resource class name in the RDT and is documented in the CA Top Secret Commmand Functions Guide
Feedback
Yes
No
Powered by
