The SAFDEF= and MODE= line of the SECTRACE output identify the SAFDEF that was used to process the RACROUTE call and the mode you want CA ACF2 to use to process this SAF request.
Solution:
The following is a sample trace record from a SECTRACE:
SMFID= SYS1 TOD= 12:03:41.80 TRACEID= TEST USERID= DUMPSRV
JOBNAME= DUMPSRV ASID= 0005 PGM= IEECB926 CURR RB= SVC099
SFR/RFR= 0/20:16 MODE= TASK APF= AUTHORIZED LOCKS= NONE
SAFDEF= GENAUTH INTERNAL MODE= GLOBAL
RACROUTE REQUEST=AUTH,CLASS='@MAJOPTS',RELEASE=1.9,STATUS=ACCESS,
ATTR=READ,DSTYPE=N,ENTITYX=('USER.SYS1.IGGPOST0.DEFAULTS'),
FILESEQ=0,GENERIC=ASIS,LOG=ASIS,MSGSP=0,MSGSUPP=YES,
TAPELBL=STD,WORKA=
The "SAFDEF= GENAUTH INTERNAL" identifies the SAFDEF record that CA ACF2 matched on. The "SAFDEF=" field will display the ID of the SAFDEF used and either GSO or INTERNAL. "INTERNAL" indicates the SAFDEF is defined internally by ACF2. "GSO" indicates that the SAFDEF is site defined by a GSO SAFDEF record. In this example GENAUTH is the ID of a SAFDEF that was defined internally by ACF2.
The "MODE=" specifies the mode that CA ACF2 will use to process this RACROUTE request. The MODE will be one of the following:
MODE Description
IGNORE Bypass processing this SAF request
GLOBAL Process this SAF request with the mode specified in the GSO OPTS record. For generalized resource validations,
use the CA ACF2 SVCA recommendation to allow or deny the SAF request.
LOG Process this REQUEST=AUTH call in LOG mode. Upon return of the validation call, allow access even if access is denied. LOG does not force
logging if a logonid is allowed access.
QUIET Process this REQUEST=AUTH call in QUIET mode.
The SHOW SAFDEF and SHOW ALL subcommands will display all SAFDEFs that are actively being used by the system. For example:
ACF
SHOW SAFDEF
-- SYSTEM AUTHORIZATION FACILITY DEFINITIONS --
IBMMFA JOBNAME=******** USERID=******** PROGRAM=AZFISP64 RB=********
RETCODE=4 SAFDEF=INTERNAL MODE=GLOBAL SUBSYS=-
FUNCRET=4 FUNCRSN=0 NOAPFCHK
RACROUTE REQUEST=AUTH,CLASS='FACILITY',STATUS=ACCESS
HBRADMIN JOBNAME=DMC1MSTR USERID=******** PROGRAM=HBRMAIN RB=********
RETCODE=4 SAFDEF=GSO MODE=IGNORE SUBSYS=****
FUNCRET=4 FUNCRSN=0
RACROUTE REQUEST=EXTRACT,CLASS='HBRADMIN'
All of the GSO defined SAFDEF can be listed using the TSO ACF command processor. For example:
ACF
SET CONTROL(GSO)
LIST LIKE(SAFDEF-)
SYS1 / SAFDEF.ABC LAST CHANGED BY USER002 ON 24/11/08-11:28
FUNCRET(4) FUNCRSN(0) ID(TESTABC) MODE(GLOBAL)
RACROUTE(REQUEST=AUTH CLASS=FACILITY
ENTITYX=BPX.DAEMON,PRIVATE) RETCODE(4)
SYS1 / SAFDEF.ABCD LAST CHANGED BY USER001 ON 15/04/04-09:16
FUNCRET(4) FUNCRSN(0) ID(TESTABC) MODE(GLOBAL)
RACROUTE(REQUEST=AUTH CLASS=FACILITY
ENTITYX=(BPX.DAEMON,PRIVATE)) RETCODE(4) . . . . . .
Details on the SECTRACE command can be found in the CA-ACF2 Security for z/OS System Programmer Guide, in Chapter 6: Special Usage Consideration, section "Tracing SAF Requests".
Details on the GSO SAFDEF record can be found in the CA-ACF2 Security for z/OS Administrator Guide, Chapter 14: Maintaining Global System Options Records, section "Environments for SAF Calls (SAFDEF)".