I am trying to activate CA-DATACOM external security with CA-ACF2 however the Multi-User Facility region initializes with internal security. What is causing internal security to be used when the required CA-ACF2 resource rules are in place?
If the CA-DATACOM Multi-User Facility region's logonid has the CA-ACF2 "NON-CNCL" privilege then CA-Datacom resource rules will not work. CA-ACF2 GSO SAFDEFs are required to activate external security when the logonid has "NON-CNCL".
The CA-Datacom resource names ACTIVATE.LEVELnn.PASS and ACTIVATE.LEVELnn.FAILare validated against the logon ID associated with the CA-Datacom Multi-User Facility. If access is allowed to the PASS resource and access is denied for the FAIL resource, external security is in effect.
If the logonid associated with the Multi-User Facility has the CA-ACF2 NON-CNCL privilege, then the FAIL resource will have no effect on determining the use of ACF2 for external security for Datacom because the NON-CNCL will have access to any resource. To control the use of CA-ACF2 for external Datacom security, CA-ACF2 GSO SAFDEFs can be used to return the proper return codes to CA-DATACOM to enforce the desired level of security. For example the following SAFDEFs can be used to activate CA-ACF2 external security for CA-Datacom/DB, Datadictionary, and CA-Dataquery for a logonid LLLLLLLL which has the NON-CNCL privilege:
ACF SET CONTROL(GSO) INSERT SAFDEF.DCFAIL FUNCRET(8) FUNCRSN(0) ID(DATACOM) MODE(IGNORE) - RACROUTE(REQUEST=AUTH CLASS=DTSYSTEM - ENTITYX=ACTIVATE.LEVEL04.FAIL) RETCODE(8) USERID(LLLLLLLL) INSERT SAFDEF.DCPASS FUNCRET(0) FUNCRSN(0) ID(DATACOM2) MODE(IGNORE) RACROUTE(REQUEST=AUTH CLASS=DTSYSTEM ENTITYX=ACTIVATE.LEVEL04.PASS) RETCODE(0) USERID(LLLLLLLL) F ACF2,REFRESH(SAFDEF)