ACCOUNT resource rules and the VMACCT logonid field values replace the ACCOUNT CP directory statements in native VM.
For example, the following two user definitions are in the CP directory:
USER TLCAMS TLCAMS 2M 8M G ACCOUNT ACT001 USER AUTOLOG1 AUTOLOG1 2M 8M G ACCOUNT ACT001
In native VM, the first ACCOUNT statement assigns the account ACT001 to the TLCAMS virtual machine. The second ACCOUNT statement assigns the same account to the AUTOLOG1 machine. In CA ACF2 for VM, the ACCOUNT directory statements are ignored. Instead, CA ACF2 for VM enforces ACCOUNT resource validation. For account validation to occur in the manner the above directory defines, both TLCAMS and AUTOLOG1 need the VMACCT field value defined in their logonid records.
The following resource rule is also needed:
$KEY(ACT001) TYPE(ACT) UID(TLCAMS) ALLOW UID(AUTOLOG1) ALLOW
The benefits ACCOUNT resource rules provide are twofold. Rules let you specify more than eight accounts for a given user; the ACCOUNT statement does not. You can assign administrative authority over specific accounts to specific users through the %CHANGE control statement in individual resource rule sets. CA ACF2 for VM account support also provides three account mode settings, as explained in the next section.
We provide a REXX exec called ACFCVACT to help you create ACCOUNT resource rules from the CP directory. This exec also prepares a file of ACF CHANGE subcommands for creating the VMACCT field values for logonids in the directory. These values are the default account numbers for virtual machines defined for account validation. You can run the ACFCVACT EXEC during CA ACF2 for VM installation for VM or whenever you implement account validation.
|
Copyright © 2009 CA Technologies.
All rights reserved.
|
|