Problem:

I am trying to activate CA-DATACOM external security with CA-ACF2 however the Multi-User Facility region initializes with internal security. What is causing internal security to be used when the required CA-ACF2 resource rules are in place?

Cause:

If the CA-DATACOM Multi-User Facility region's logonid has the CA-ACF2 "NON-CNCL" privilege then CA-Datacom resource rules will not work. CA-ACF2 GSO SAFDEFs are required to activate external security when the logonid has "NON-CNCL".

Solution:

The CA-Datacom resource names ACTIVATE.LEVELnn.PASS and ACTIVATE.LEVELnn.FAILare validated against the logon ID associated with the CA-Datacom Multi-User Facility. If access is allowed to the PASS resource and access is denied for the FAIL resource, external security is in effect.

If the logonid associated with the Multi-User Facility has the CA-ACF2 NON-CNCL privilege, then the FAIL resource will have no effect on determining the use of ACF2 for external security for Datacom because the NON-CNCL will have access to any resource. To control the use of CA-ACF2 for external Datacom security, CA-ACF2 GSO SAFDEFs can be used to return the proper return codes to CA-DATACOM to enforce the desired level of security. For example the following SAFDEFs can be used to activate CA-ACF2 external security for CA-Datacom/DB, Datadictionary, and CA-Dataquery for a logonid LLLLLLLL which has the NON-CNCL privilege:

ACF
SET CONTROL(GSO)
INSERT SAFDEF.DCFAIL  FUNCRET(8) FUNCRSN(0) ID(DATACOM) MODE(IGNORE)  -
                     RACROUTE(REQUEST=AUTH CLASS=DTSYSTEM -
                     ENTITYX=ACTIVATE.LEVEL04.FAIL) RETCODE(8) USERID(LLLLLLLL)
                                                         
 INSERT SAFDEF.DCPASS FUNCRET(0) FUNCRSN(0) ID(DATACOM2) MODE(IGNORE)
                     RACROUTE(REQUEST=AUTH CLASS=DTSYSTEM
                     ENTITYX=ACTIVATE.LEVEL04.PASS) RETCODE(0) USERID(LLLLLLLL)
 
F ACF2,REFRESH(SAFDEF)

-