Understanding SAF › Components of the CA ACF2 for VM SAF Interface

Components of the CA ACF2 for VM SAF Interface

To understand how CA ACF2 for VM processes SAF calls, you must be familiar with these components of the CA ACF2 for VM SAF interface:

• CLASMAP record
• SAFDEF record
• ACFSERVE SECTRACE command
• CA ACF2 for VM access and resource rules

Since CA ACF2 for VM is SAF compliant, the CA ACF2 for VM SAF interface is always active. Even though CA ACF2 for VM processes all SAF calls by default, you can decide whether you want CA ACF2 for VM to validate particular SAF calls.

This section explains the function of each component. Individual components are explained in detail later in this chapter with examples that you can tailor to the unique calls you must define and validate.

CLASMAP Record

The VMO CLASMAP record translates an eight‑character SAF resource class into a three‑byte CA ACF2 for VM resource type code. CA ACF2 for VM checks the CLASMAP record for this type code for all SAF calls.

To see the general CLASMAP record of RESOURCE(********) RSRCTYPE(SAF) defined by CA ACF2 for VM, issue the following command:

SHOW CLASMAP

CA ACF2 for VM searches CLASMAP records in the following manner to determine the type code for a resource call:

• When a SAF general CLASMAP record exists, CA ACF2 for VM searches the external (site‑defined) CLASMAP records. If the general CLASMAP record is the only match, CA ACF2 for VM searches the internal CLASMAP records provided with CA ACF2 for VM. CA ACF2 for VM matches on the most specific CLASMAP regardless of it being an internal or external CLASMAP record. If no match is found, CA ACF2 for VM uses the general type code of SAF.
• When no SAF general CLASMAP exists, CA ACF2 for VM searches the external (site‑defined) CLASMAP records. If no match is found,
  CA ACF2 for VM searches the internal CLASMAP records provided with CA ACF2 for VM. If no match is found, CA ACF2 for VM uses the first three characters of the resource name as the type code.

SAFDEF Record

The VMO SAFDEF record identifies a SAF request and its environment to CA ACF2 for VM. CA ACF2 for VM provides its own SAFDEF records for internal functions. Your site may have to provide SAFDEF records for IBM program products and any other system or application products that make SAF calls. CA ACF2 for VM defines general SAFDEF records to process SAF calls. These internal SAFDEF records provide CA ACF2 for VM protection by default. CA ACF2 for VM searches for a SAFDEF record that defines the specific request and the action you want CA ACF2 for VM to take when it validates the request.

Note: There are SAFDEF restrictions with FASTAUTH processing. FASTAUTH does not allow the use of ENTITY on the RACROUTE field of the SAFDEF.

ACFSERVE SECTRACE Command

The ACFSERVE SECTRACE command is a diagnostic tool that enables you to capture, format, and display the RACROUTE parameter list passed by requests for SAF services. For complete details and command syntax, See Tracing SAF events in the “Using the ACFSERVE Commands” chapter.

CA ACF2 for VM Access and Resource Rules

Access and resource rules enable you to control how CA ACF2 for VM validates access to data sets and resources based on SAF requests. These requests can be made by other program products or system services.