The CLASMAP record translates eight‑character resource classes into three‑byte CA ACF2 for VM resource type codes. CLASMAP records are not required, but CA ACF2 for VM checks the CLASMAP record for the type code for all SAF calls. When no matching CLASMAP record is found during validation,
CA ACF2 for VM uses the first three characters of the resource class as the resource type. The three‑character resource type code can enable you to write specific resource rules to validate security calls for a specified class.
A description of the CLASMAP record format and fields follows:
|
Record ID |
Fields |
|---|---|
|
CLASMAPqual |
RESOURCE(class) |
Specifies the explicit eight‑character resource class from the CLASS keyword on the RACROUTE macro. Standard CA ACF2 for VM resource name masking conventions apply.
Specifies the explicit three‑character resource type code associated with the class. If you define a RESOURCE but do not define a RSRCTYPE, CA ACF2 for VM uses the first three characters of the RESOURCE as the RSRCTYPE. Use this type code to write resource rules to perform validation. This value cannot be masked. If you want to mask the name of the resource in your resource rule key, add this type code to the VMO RESTYPE record. For more information, see the “About Resource Rules” chapter.
Identifies the MUSASS to which the CLASMAP record applies. This lets several MUSASSes that share the same resource class use different type codes. Standard CA ACF2 for VM resource name masking conventions apply.
Specifies the entity length of the specified SAF class. The default is 0. Zero causes CA ACF2 for VM to search its internal CLASMAP definitions; non‑zero causes the VMO CLASMAP to be used. The resultant CLASMAP record, VMO or internal, is used for RSRCTYPE and ENTITYLN. If the resultant ENTITYLN is zero, CA ACF2 for VM assigns a length of 39, the IBM default.
To create multiple CLASMAP records, append a qualifier to the record name in the format CLASMAPqual to generate a unique record ID (for example, CLASMAPVMAN or CLASMAP.DATASET). The total recid length is 16 bytes. The optional qualifier can be up to nine characters and must immediately follow the characters CLASMAP. If you use a period (.) as part of the qualifier string for the record name, CA ACF2 for VM counts it as one of the nine characters.
You can view the internal (CA ACF2 for VM‑defined) and external (site‑defined) CLASMAP records by issuing the SHOW CLASMAP subcommand.
show clasmap ‑‑ INTERNAL CLASMAP DEFINITIONS ‑‑ MUSASS RESOURCE TYPE ENTITY ID CLASS CODE LENGTH ====== ======== ==== ====== CICS FILE CFC 8 CICS PROGRAM CPC 8 CICS TRANS CKC 4 CICS TRANDATA CTD 8 CICS TEMPSTRG CTS 8 CICS DL/I CPB 8 ‑ PROGRAM PGM 8 ‑ UNVRPRT UNR 0 ‑ UNVPGM UNP 8 ‑ ACAPPL ACA 0 ‑ ACDIALOG ACD 0 ‑ DIRECTRY SAF 153 ‑ FILE SAF 171 ‑ SFSCMD SAF 171 ‑‑ EXTERNAL CLASMAP DEFINITIONS ‑‑ MUSASS RESOURCE TYPE ENTITY ID CLASS CODE LENGTH ======== ======== ==== ====== ******** TSTPROD1 TPI 0
You must specify a CLASMAP record for the following type of SAF RACROUTE call that you want to validate.
REQUEST=AUTH,CLASS=DATASET|others
AUTH calls with a CLASS specification of DATASET result in a data set validation. AUTH calls with any other CLASS specified result in a resource validation.
For more information, see Part I: Defining VM System Options.
|
Copyright © 2009 CA Technologies.
All rights reserved.
|
|