Implementing External Security with CA ACF2 › Define Roles Based on Function for Validation

Previous Topic: Customize Resource Class with CA ACF2

Next Topic: Define Roles Automatically with DEFSAF

Define Roles Based on Function for Validation

The purpose of roles in CA ACF2 is for validation processing. With CA ACF2, a role is a group of users or a group of groups. You define a group name and then add your groups of sources, resources, or roles to that group one time. You then reuse the group name to specify that group.

Use your defined role as a grouping mechanism to represent multiple users with identical or similar functional requirements or access authority. Adding one group entry to access lists rather than many user IDs simplifies both access and maintenance.

You can define functional roles to use for validation processing.

Follow these steps:

  1. Define your job function, or roles, using any criteria necessary. For example, create a functional role named OPSADMIN for the CA OPS/MVS administrators.

    Note: The REXX program DEFSAF does not define function-based groups.

  2. Assign users to the function roles you defined.
  3. Define individual users to a group.
  4. Assign to that group a role group name in an XREF role group (X-ROL) record.

    The CA ACF2 X-ROL record can specify either a list users or a list of groups. Use the include and exclude parameters plus masking to include many users with fewer statements.

  5. Use the resource rules to specify the role you want to access the resource. You can specify one of the following resources:

Your functional roles are defined.

Note: For more information about roles and XREF, see the CA ACF2 for z/OS Administrator Guide.