Previous Topic: Account ControlsNext Topic: Account Resource Rules and VMACCT Field Values

Protecting Special ResourcesAccount Support through CA ACF2 for VMImplementing Account Controls

Implementing Account Controls

During implementation, set SET ACCTVLD to NO, turning off account validation. Do not turn on full account security (FULL setting) or partial security (LID setting) until you have compiled and stored your account resource rule sets.

There are five steps to implementing VM account support:

  1. Determine your account mode setting. Issue the SHOW STATE subcommand to ensure that your ACCTVLD setting is set to NO. The ACCTVLD operand of the OPTS VMO record establishes the account mode. There are three possible settings: FULL, LID, and NO.
    ACCTVLD(FULL)

    Indicates that full CA ACF2 for VM account support is in effect. (This is the default). CA ACF2 for VM does not use the CP directory for accounting purposes except at system initialization time. We recommend this setting for
    CA ACF2 for VM account validation.

    ACCTVLD(LID)

    Indicates an alternative to full account support. CA ACF2 for VM account support is in effect, but only for specified machines. The CP directory is not used for accounting except at system initialization time.

    ACCTVLD(NO)

    Indicates that CA ACF2 for VM account support is disabled. Directory account validations are performed exactly as on a native VM system.

  2. Assign the VLDVMACT logonid privilege. This is necessary only if you use the ACCTVLD=LID setting. If you use full account security (ACCTVLD=FULL), skip to Step 3, Assign the VMACCT Logonid Privilege.

    Under the ACCTVLD=(LID) account mode setting, the VLDVMACT logonid bit field defines virtual machines for CA ACF2 for VM account validation. Machines without VLDVMACT do not undergo account resource rule validation. These machines are automatically assigned the account numbers kept in their VMACCT logonid fields. If they do not have VMACCT values, they are denied system entry.

    To turn on the VLDVMACT logonid attribute for a virtual machine, a user with the appropriate privilege must enter the CHANGE subcommand under the ACF LID mode setting.

  3. Assign the VMACCT logonid privilege. VMACCT defines an eight‑byte logonid field that is the default account number for a virtual machine. Virtual machines to undergo CA ACF2 for VM account validation need this privilege if they are to be assigned default accounts. You can turn on the VMACCT logonid attribute for a virtual machine in one of two ways:
  4. Establish account resource rule sets. Remember, when full account validation is in effect, CA ACF2 for VM automatically validates an account resource rule during system entry or when you issue the SET ACCOUNT command. The CA ACF2 for VM access mode setting and CA ACF2 for VM SECURITY privilege have no bearing on the account resource rule validation process.

    A separate rule is required for each account, but you can use standard
    CA ACF2 for VM masking conventions. In every rule, the account number is specified as the $KEY value. The UID portion of a rule entry is the machine to use that account number. You can create account resource rules in two ways:

  5. Set the account mode (as determined earlier). Set the ACCTVLD operand in the OPTS VMO record to FULL or LID. Issue the SHOW STATE subcommand of the ACF command to check that your ACCTVLD setting is correct.

For more detailed information on the ACFCVACT utility, see the in the Reports and Utilities Guide.