Yes there is an ACF2 job FEKACF that can be used to define ACF2 rules, users, profile records for Rational Developer for System z that is equivalent to the RACF FEKRACF.
The ACF2 FEKACF job follows. There is also a link to download the sample JCL file 1628078671939__FEKACF.TXT at the bottom of the article. Details on the ACF2 commands can be found in the CA-ACF2 Security for z/OS Administrator Guide. Please review all comments and customize as appropriate.
********************************* Top of Data ********************************** //FEKACF JOB 1,'DEFINE ACF2 SETTINGS' 00010003 //********************************************************************* //* * //* * //* CA CACF2 FOR z/OS * //* COPYRIGHT (C) 2009 CA. ALL RIGHTS RESERVED. * //* * //* MEMBER: FEKACF2 * //* * //* Rational Developer for System z * //* This JCL can be used to define ACF2 rules, users, profile * //* records and make mandatory z/OS UNIX files program controlled. * //* * //* CAUTIONS: * //* A) This JOB contains case sensitive path statements. * //* B) This is neither a JCL procedure nor a complete JOB. * //* Before using this JCL, you will have to make the following * //* modifications: * //* * //* 1) Add the JOB parameters to meet your system requirements. * //* * //* 2) Customize the different steps of this jcl as documented in * //* the step headers. * //* A. ACF2INIT * //* B. USER * //* C. DATASET * //* D. STC * //* E. JESCMDS * //* F. SERVER * //* G. PROGCTLM * //* H. PSTICKET * //* I. POE * //* J. PROGCTLU (z/OS UNIX) * //* * //* Notes: * //* * //* 1. The user ID that enters these commands must have SECURITY, * //* ACCOUNT and REFRESH. * //* * //* 2. The user ID that runs this JOB must have READ access to * //* BPX.FILEATTR.PROGCTL (FACILITY CLASS) or be UID(0). * //* * //* 3. This job should complete with a return code 0. * //* The ACF2 steps of this job will complete with a return code 0. * //* The results of each step must be verified after completion. * //* * //********************************************************************* //* //* PROCEDURE TO EXECUTE ACF2 COMMANDS WITH COMMENTS //* - no customization needed //* //ACFCOM PROC CMD='' //ACFCOM EXEC PGM=IKJEFT01,REGION=0M,PARM=&CMD //SYSEXEC DD DISP=(SHR,PASS),DSN=&&COMMENT //SYSTSPRT DD SYSOUT=* //SYSTSIN DD DUMMY // PEND //* //* CREATE TEMP REXX TO BE USED AS COMMENT CHARACTER FOR BATCH TSO //* - no customization needed //* //COMMENT EXEC PGM=IEBGENER //SYSPRINT DD SYSOUT=* //SYSIN DD DUMMY //SYSUT2 DD DISP=(NEW,PASS),DSN=&&COMMENT(#), // SPACE=(TRK,(1,1,1)),DCB=(RECFM=FB,LRECL=80),UNIT=3390 //SYSUT1 DD DATA,DLM=$$ /* REXX */ /* COMMENT COMMAND TO BE USED IN BATCH TSO */ NOP EXIT 0 $$ //********************************************************************* //* REQUIRED SETTINGS AND CLASSES //* //* The following classes CA ACF2 has these classes pre-defined: //* FACILITY, CONSOLE, OPERCMDS, APPL, PTKTDATA, and PROGRAM //* //* No customization is needed to define these classes. //* //********************************************************************* //*ACF2INIT EXEC ACFCOM //*SYSTSIN DD * //******************************************************************* //* DEFINE OMVS SEGMENT FOR USERS //* - replace #user with user ID (assumes user ID already defined) //* - replace #user-identifier with non-zero z/OS UNIX user ID //* - replace #group-name with default ACF2 group for user ID //* - replace #group-identifier with z/OS UNIX group ID //* //* Note: Ensure the home directory exists and the //* permissions for the directory allow #user access. //******************************************************************* //USER EXEC ACFCOM //SYSTSIN DD * # add OMVS profile record for existing user ID ACF set profile(user) div(omvs) insert #user UID(#user-identifier) - home(/u/#user) omvspgm(/bin/sh) END # add OMVS profile record for existing group ACF set profile(group) div(omvs) insert #group-name GID(#group-identifier) END //********************************************************************* //* DEFINE DATA SET PERMISSIONS //* - change "FEK.#CUST." to the appropriate high level qualifier(s) //* of customized data sets //* - change "FEK." to the appropriate high level qualifier(s) //* of installation data sets //* - change #sysprog to the sysprog's ACF2 UID string //* - change #ram-developer to the RAM developer's ACF2 UID string //* - change #cicsadmin to the CICS administrator's ACF2 UID string //* //* Notes: //* + FEK.SFEKAUTH is APF authorized data sets. //* It is strongly advised that you protect data sets //* FEK.SFEKLOAD and FEK.SFEKLPA against updates. //********************************************************************* //DATASET EXEC ACFCOM //SYSTSIN DD * # general data set protection ACF set rule reckey fek add(- uid(#sysprog) r(a) w(a) a(a)) reckey fek add(- uid(*) r(a)) reckey fek add(#cust.lstrans.file uid(*) r(a) w(a)) reckey fek add(#cust.cra-.- uid(*) r(a)) reckey fek add(#cust.adnrep-.- uid(*) r(a)) reckey fek add(#cust.adnrep-.- uid(#cicsadmin) r(a) w(a)) reckey fek add(#cust.adnman-.- uid(*) r(a) w(a)) END //********************************************************************* //* DEFINE STARTED TASKS //* - (optional) change STCGROUP to the group name for started tasks //* - (optional) change GID(1) to the z/OS UNIX group ID //* - (optional) change STCJMON to the user ID of the JMON started task //* - (optional) change UID(7) to the z/OS UNIX ID of STCJMON //* - (optional) change STCRSE to the user ID of the RSED started task //* - (optional) change UID(8) to the z/OS UNIX ID of STCRSE //* - (optional) change STCLOCK to the user ID of the LOCK started task //* - (optional) change UID(9) to the z/OS UNIX ID of STCLOCK //********************************************************************* //STC EXEC ACFCOM //SYSTSIN DD * # group for started tasks ACF set profile(group) div(omvs) insert stcgroup gid(1) END # userid for JES job monitor ACF set lid insert stcjmon name(RDZ - JES JOBMONITOR) stc - group(stcgroup) uid(7) home(/tmp) omvspgm(/bin/sh) END # userid for RSE daemon ACF insert stcrse name(RDZ - RSE DAEMON) stc - group(stcgroup) uid(8) home(/tmp) omvspgm(/bin/sh) END # userid for LOCK daemon ACF insert stclock name(rdz - LOCK DAEMON) stc - group(stcgroup) uid(9) home(/tmp) omvspgm(/bin/sh) END # Add a GSO STC record for each of the started tasks ACF set c(gso) insert STC.rsetask stc(rsed) logonid(stcrse) group(stcgroup) insert STC.jmontask stc(jmon) logonid(stcjmon) group(stcgroup) insert STC.locktask stc(lock) logonid(stclock) group(stcgroup) f acf2,refresh(stc) end # Show resulting STC table ACF show stc end //********************************************************************* //* DEFINE JES COMMAND SECURITY //* - no customization needed //* //* Notes: //* + the JMON console name cannot be changed //* + Hold/Release/Cancel/Purge are the only JES commands available //* + the commands can be limited in JES Job Monitor configuration file //* > owned by user //* > nodeid.userid.jobname.jobid profile in JESSPOOL class //* //* Ensure CLASMAPs records map each class to an appropriate 3-character //* type code. //********************************************************************* //JESCMDS EXEC ACFCOM //SYSTSIN DD * # define JMON console ACF set resource(saf) reckey jmon add(uid(*) service(read) allow) END # define JMON console access ACF set resource(saf) reckey mvs add(uid(*) service(read) allow) END # define conditional JES operator command access ACF set resource(saf) reckey jes* add(- uid(*) prevent) reckey jes* add(- uid(*) source(jmon) service(read,update) allow) END //********************************************************************* //* DEFINE RSE SERVER AS A SECURE Z/OS UNIX SERVER //* - change STCRSE to the user ID of the RSED started task //* //* Note: STCRSE requires UID(0) if this profile is not defined //********************************************************************* //SERVER EXEC ACFCOM //SYSTSIN DD * ACF set resource(fac) reckey bpx.server add(uid(*) prevent) reckey bpx.server add(uid(rsed uid string) service(read,update) allow) f acf2,rebuild(fac) END //********************************************************************* //* DEFINE MVS PROGRAM CONTROLLED LIBRARIES FOR RSE SERVER //* - provide correct data set names //* //* Ensure the following libraries are protected and permit READ access: //* sys1.linklib, sys1.miglib, cee.sceerun, cee.sceerun2, isp.sisplpa, and //* isp.sispload. //* //*PROGCTLM EXEC ACFCOM //*SYSTSIN DD * //********************************************************************* //* DEFINE PASSTICKET SUPPORT FOR RSE SERVER //* - change "key16 " to a secret 16 character hex string //* //* Notes: //* + RSE can be configured to use the shared OMVSAPPL application ID //* + the FEKAPPL application ID cannot be changed, but it can be //* replaced by OMVSAPPL //********************************************************************* //PSTICKET EXEC ACFCOM //SYSTSIN DD * # define RSE server as an application ACF set resource(saf) reckey fekappl add(uid(*) service(read) allow) END # activate passticket support for RSE application ACF set profile(ptktdata) div(ssignon) insert fekappl mult-use sskey(key16......) set resource(ptk) reckey irrptauth add(fekappl.- uid(stcrse uid string) - service(read,update) allow) END //********************************************************************* //* DEFINE PORT OF ENTRY CHECKING FOR RSE SERVER //* - change STCRSE to the user ID of the RSED started task //* //* Notes: //* + RSE server must be configured to use POE //* + defining BPX.POE will impact other TCPIP applications, like INETD //* + security zones should be set up in the SERVAUTH class //* + STCRSE requires UID(0) if this profile is not defined and //* you enable POE checking for RSE server //********************************************************************* //POE EXEC ACFCOM //SYSTSIN DD * # activate port of entry checking ACF set resource(fac) reckey bpx.poe add(uid(*) prevent) reckey bpx.poe add(uid(stcrse uid string) service(read) allow) f acf2,rebuild(fac) f acf2,rebuild(grp),class(p) f acf2,rebuild(usr),class(p) f acf2,rebuild(ptk),class(p) END //********************************************************************* //* MAKE JAVA INTERFACE PROGRAM CONTROLLED FOR RSE SERVER //* - provide, in variable ACFJNI, the path of the Java interface //* to your security software (default is /usr/lib/libIRRAcf.so) //* //* Notes: //* //* + You need READ access to the BPX.FILEATTR.PROGCTL profile //* (FACILITY class) or UID(0) to execute the extattr command //* + Since z/OS 1.10, /usr/lib/libIRRRacf.so is part of SAF, which //* ships with base z/OS //* // SET ACFJNI='/usr/lib/libIRRRacf.so' //* //PROGCTLU EXEC PGM=BPXBATCH, // PARM='SH extattr +p &ACFJNI.' //STDOUT DD SYSOUT=* //STDERR DD SYSOUT=* //* //* SHOW RESULTS OF THE EXTATTR COMMAND //* //PROGRAM EXEC PGM=BPXBATCH, // PARM='SH ls -E &ACFJNI.' //STDOUT DD SYSOUT=* //STDERR DD SYSOUT=* /* ******************************** Bottom of Data ********************************