Implementing External Security with CA ACF2 › Define Roles Automatically with DEFSAF

Define Roles Automatically with DEFSAF

Roles let you add and remove users from a single point for validation processing. You can automatically define CA ACF2 roles with the DEFSAF REXX utility.

By default, the DEFSAF program defines SAF resource names and roles. If you decide not to use roles, specify the parameter GROUPS(N) on the DEFSAF utility. The resource names are still defined but the default group names are not generated.

Follow these steps:

1. Log in to TSO.
2. Access the DEFSAF REXX utility distributed in the opshlq.CCLXEXEC data set.
3. Run DEFSAF from an CA ACF2 logon ID that has the SECURITY permission.

   The following actions occur:

   • Roles are created based on the CA OPS/MVS facility names. Roles are named appropriately to match the CA OPS/MVS facility they secure.
   • Member DEFACF2 is generated and contains the basic ACF2 commands for securing the processing environment under CA ACF2.
4. Review and modify the example definitions to meet the security requirements of your site.
5. Use the tailored definitions as batch input to CA ACF2.

   Note: Member BATACF2 in opshlq.OPS.CNTL is provided as a sample. For more information about executing CA ACF2 commands in batch, see the CA ACF2 for z/OS Reports and Utilities Guide.

Example: DEFSAF Execution

This example generates the opshlq.OPSS.DEFSAF(DEFACF2) file containing all of the required resource definitions to begin using CA OPS/MVS external security with CA ACF2.

TSO OX 'opshlq.opsnnn.rexx(DEFSAF)' 'ALL SEC(ACF2) ACT(DEFINE) BATCH(Y)'

OPS0996I #DEFSAF Security product is ACF2.
OPS0996I #DEFSAF CA OPS/MVS subsystem OPSS is active.
OPS0996I #DEFSAF 'OPSHLQ.OPSS.DEFSAF(DEFACF2)' has been generated.
***

Note: For a complete example of DEFSAF execution, see the contents of data set member OPSHLQ.OPSS.DEFSAF(DEFACF2).

More information:

Resource Tables and Predefined Resources