z/OS 2.5 requires SDSF security to be converted into external security. What are the steps to convert SDSF ISFPARMS to ACF2 security? 

Release : 16.0

Component : ACF2 for z/OS

There is no ACF2 migration utility available that converts ISFPARMS to ACF2 security directly. 

There are two steps to convert SDSF ISFPARMS to ACF2 security. 

1. Convert ISFPRMxx into RACF commands using IBM provided REXX utility

2. Convert RACF commands into ACF2
    A) Group users by UID string or Roles
    B) Use ACF2 X(RGP) Resource Grouping for SDSF Resources

2. A) Group users by UID string or Roles

After identifying which ISFPRMxx member SDSF is using, determine how security is set up by assessing how users/logonids are grouped and what they are authorized to do in SDSF according to this IBM documentation. 

Taking an example of two SDSF groups ISFDBA and ISOPER from ISFPRMxx as shown below and converting these groups to ACF2 security using ROLE and UID based sample rules. 

/* Commands for  GROUP  profiles */

 ADDGROUP  ISFDBA OWNER(ISF) SUP(ISF) 
 ADDGROUP  ISFOPER OWNER(ISF) SUP(ISF)

There are two ways to convert SDSF groups into ACF2 security rules as explained below:

a. ROLE based: This is recommended and comparatively easier implementation method.

ISFPARMS associate logonids with a specific group like ISFDBA and ISFOPER as an example via following ISFPRMxx parameters:

First step is to create a role record X(ROL) and add all the logonids associated with ISFDBA and ISFOPER group to a new role record name.

Here are sample commands to create ISFDBA and ISFOPER role records and adding logonids according to NTBL names and attributes:

SET X(ROL)

INSERT ISFOPER include(logonid1,logonid2...logonid3) ROLE

INSERT ISFDBA include(logonid4,logonid5...logonid6) ROLE

F ACF2,NEWXREF,TYPE(ROL)

Next step is to write ACF2 rules for these ROLES, a sample RACF rule example converted to ACF2 ROLE based rule is shown below for ISFCMD.DSP.ACTIVE.JES2 resource:

 /* Commands for  SDSF  profiles */

PERMIT ISFCMD.DSP.ACTIVE.JES2 CLASS(SDSF) ID(ISFDBA) ACCESS(READ)

PERMIT ISFCMD.DSP.ACTIVE.JES2 CLASS(SDSF) ID(ISFOPER) ACCESS(READ)

ACF

SET RESOURCE(SDF)

RECKEY ISFCMD ADD(DSP.ACTIVE.JES2 ROLE(ISFDBA) SERVICE(READ) ALLOW)

RECKEY ISFCMD ADD(DSP.ACTIVE.JES2 ROLE(ISFOPER) SERVICE(READ) ALLOW)

b. UID based: This can be a slightly complicated implementation as the correlation between ISFPRMxx groups and UID string needs to be figured out.

Taking an example of same two groups ISFDBA and ISFOPER as shown above, to convert it into UID based rule, UID string definition needs to be looked at first.

The UID string has the following fields defined as an example: 

If there is a logonid field that is part of the UID string such as FUNCTION CODE(as shown above) where FUNCTION CODE of DBA correlates to the ISFPARMS group ISFDBA and FUNCTION CODE of OPR correlates to the ISFPARMS group ISFOPER:

DBA => ISFDBA
OPR => ISFOPER

Next, UID string based rules can be written for ISFCMD.DSP.ACTIVE.JES2 resource as shown below:

ACF
SET RESOURCE(SDF)
RECKEY ISFCMD ADD(DSP.ACTIVE.JES2 UID(**********DBA********) SERVICE(READ) ALLOW)
RECKEY ISFCMD ADD(DSP.ACTIVE.JES2 UID(**********OPR********) SERVICE(READ) ALLOW)

2. B) Use ACF2 X(RGP) Resource Grouping for SDSF Resources

The IBM provided REXX utility will break up SDSF resources into logonical SDSF resource groups(GSDSF profiles) such as ATTR.CMDx where x equals 2 to 7. This can be translated into ACF2 resource X(RGP) resource GROUPs ATTR.CMDx which include multiple resource commands. Then rules can be coded to give logonids access to the group of commands.

Sample Rules to allow logonids access to SDSF Group of resource commands
* For ACF2 X(RGP) Resource Grouping can be used. Resource rules can be
* written to give UID based groups or Role based groups access to the resource RGP groups
* ATTR.CMDx where x equals 2 to 7. For example:
* UID string Based Rules
* SET RESOURCE(SDF)
* RECKEY ATTR.CMD2 ADD( UID(…grpA) ALLOW)
* RECKEY ATTR.CMD3 ADD( UID(…grpB) ALLOW)
* RECKEY ATTR.CMD4 ADD( UID(…grpC) ALLOW)
* RECKEY ATTR.CMD5 ADD( UID(…grpD) ALLOW)
* RECKEY ATTR.CMD6 ADD( UID(…grpE) ALLOW)
* RECKEY ATTR.CMD7 ADD( UID(…grpF) ALLOW)
* Role Base Rules
SET RESOURCE(SDF)
RECKEY ATTR.CMD2 ADD( ROLE(GrpA) ALLOW)
RECKEY ATTR.CMD3 ADD( ROLE(GrpB) ALLOW)
RECKEY ATTR.CMD4 ADD( ROLE(GrpC) ALLOW)
RECKEY ATTR.CMD5 ADD( ROLE(GrpD) ALLOW)
RECKEY ATTR.CMD6 ADD( ROLE(GrpE) ALLOW)
RECKEY ATTR.CMD7 ADD( ROLE(GrpF) ALLOW)

Sample Resource Command Groups
SET X(RGP)
* Create X(RGP) Group ATTR.CMD2
INSERT ATTR.CMD2 RESOURCE TYPE(SDF) INCLUDE(ISFATTR.OUTPUT.BURST, - 
 ISFATTR.OUTPUT.CLASS, -                                            
 ISFATTR.OUTPUT.COPYCNT, -                                          
 ISFATTR.OUTPUT.DEST, -                                             
 .. 
 ..                                                                   
 ISFATTR.OUTDESC.USERLIB, -                                          
 ISFATTR.OUTDESC.FORMLEN, -                                          
 ISFATTR.OUTDESC.PRTERROR) 

* Create X(RGP) Group ATTR.CMD3
SET X(RGP)
INSERT ATTR.CMD3 RESOURCE TYPE(SDF) INCLUDE(ISFATTR.CHECK.CATEGORY, -
 ISFATTR.CHECK.DEBUG, -                                              
 ISFATTR.CHECK.EINTERVAL, -                                          
 ISFATTR.CHECK.INTERVAL, -                                           
 ..
 ..                                                                  
 ISFATTR.SPOOL.OVFNAME, -                                            
 ISFATTR.SPOOL.PARTNAME, -                                           
 ISFATTR.SPOOL.SYSAFF, -                                             
 ISFATTR.ENCLAVE.SRVCLASS) 

* Create X(RGP) Group ATTR.CMD4
SET X(RGP)
INSERT ATTR.CMD4 RESOURCE TYPE(SDF) INCLUDE(ISFATTR.CHECK.CATEGORY, -
 ISFATTR.CHECK.DEBUG, -                                              
 ISFATTR.CHECK.EINTERVAL, -                                          
 ISFATTR.CHECK.INTERVAL, -                                           
 ..
 ..
 ISFATTR.SELECT.CLASS, -                                             
 ISFATTR.SPOOL.SYSAFF, -                                             
 ISFATTR.RESOURCE.-) 

* Create X(RGP) Group ATTR.CMD5
SET X(RGP)
INSERT ATTR.CMD5 RESOURCE TYPE(SDF) INCLUDE(ISFATTR.CHECK.CATEGORY, -
 ISFATTR.CHECK.DEBUG, -                                              
 ISFATTR.CHECK.EINTERVAL, -                                          
 ISFATTR.CHECK.INTERVAL, -                                           
 ..
 ..
 ISFATTR.SELECT.DEST, -                                              
 ISFATTR.SPOOL.SYSAFF, -                                             
 ISFATTR.RESOURCE.-) 

* Create X(RGP) Group ATTR.CMD6
SET X(RGP)
INSERT ATTR.CMD6 RESOURCE TYPE(SDF) INCLUDE(ISFATTR.CHECK.CATEGORY, -
 ISFATTR.CHECK.DEBUG, -                                              
 ISFATTR.CHECK.EINTERVAL, -                                          
 ISFATTR.CHECK.INTERVAL, -                                           
 ..
 ..
 ISFATTR.PROPTS.WS, -                                                 
 ISFATTR.SPOOL.SYSAFF, -                                              
 ISFATTR.RESOURCE.-)

* Create X(RGP) Group ATTR.CMD7
SET X(RGP)
INSERT ATTR.CMD7 RESOURCE TYPE(SDF) INCLUDE(ISFATTR.CHECK.CATEGORY, -
 ISFATTR.CHECK.DEBUG, -                                              
 ISFATTR.CHECK.EINTERVAL, -                                          
 ISFATTR.CHECK.INTERVAL, -                                           
 ..
 ..
 ISFATTR.PROPTS.WS, -                                               
 ISFATTR.SPOOL.SYSAFF, -                                           
 ISFATTR.RESOURCE.-                                                
 ISF-.-)                                                           

Further information related to SDSF 2.5 can be found in TechDoc at Using SAF for SDSF External Security