ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

How To Use SAF To Control SDSF Group Membership With Top-Secret

book

Article ID: 53383

calendar_today

Updated On:

Products

Top Secret

Issue/Introduction

Description:

IBM's RACF SDSF commands documentation converted to Top Secret

*

Environment

Release:
Component: AWAGNT

Resolution

**** start of IBM doc *****

You can also use SAF to control membership in groups defined with ISFPARMS.
To do this:

  1. Assign a name to each group, as follows:
    ~ With an ISFGRP macro, using the macro label. The label must start in column 1 and be 1-8 characters. It must conform to standard assembler language programming conventions and be unique within ISFPARMS.
    ~ With a GROUP statement, using the NAME parameter.

  2. Define SAF profiles GROUP .group-name.server-name, in the SDSF class, and permit users to them as appropriate.
    ***** end of IBM doc *****

Solution:

The details of memberships can be summarized as follows:

Function Resource Name Class Access
Membership in Group GROUP.group-name.server-name SDSF READ

 

Note:

If the SDSF client is not connected to the SDSF server, the server-name is blank.

Then, as shown in this table, it is translated to RACF as follows:

Resolution:

To authorize membership in a group in ISFPARMS, issue the following commands:

 RDEFINE SDSF GROUP.group-name.server-name  UACC(NONE) 
 PERMIT GROUP.group-name.server-name CLASS(SDSF) ID(userid or  groupid) 
 ACCESS(READ)

Converted to a CA Top Secret TSS command:

TSS  ADD(owningacid)  SDSF(GROUP.)
TSS PER(aciduser or acidprofile) SDSF(GROUP.group-name.server-name) -
ACCESS(READ)

Please refer to:

  • Appendix C. SDSF resource names for SAF security in IBM SDSF Operation and Customization Guide.

  • SDSF is a pre-defined CA Top Secret resource class name in the RDT and is documented in the CA Top Secret Commmand Functions Guide