At signon, CA ACF2 builds a list of roles that the user is associated with, based on the values in X-ROL records. This list is used for data set and resource validations involving role rule sets. The first role in the list is used for validation. If access is denied, the next role in the list is selected and the validation is re-driven. This process continues until access is allowed or all of the roles in the list are exhausted, at which time access would be denied. Loggings are reported on the active role.
Note: X(ROL) records are SYSID dependent. When CA ACF2 starts up or when an F ACF2,NEWXREF,TYPE(ROL) command is issued, it builds a structure of all the X(ROL) records in storage, based on the SYSID at startup or as specified on the NEWXREF command. When a user signs on, CA ACF2 builds their list of roles based on this structure. For this reason, it is very important to maintain the correct SYSID for X(ROL) records. Security exposures could result if not handled correctly.
If you want X(ROL) records to be identified and used across any SYSID on any system using the same INFOSTG database, use the SET X(ROL) SYSID(********) command before inserting, changing and deleting X(ROL) records.
|
Copyright © 2011 CA Technologies.
All rights reserved.
|
|