Authorize User IDs to Use a Specific Command

Implementing External Security with CA ACF2 › Authorize User IDs to Use a Specific Command

Authorize User IDs to Use a Specific Command

Group names are derived from the facility names that are associated with the security event the group name protects. The resources of some facilities have READ access, other facilities have UPDATE access, and other facilities have both READ and UPDATE verbs. Therefore, the group names are encoded following this pattern:

Facility	Group Name
READ access only	The group name is the same as the facility name or derived from the facility name.
UPDATE access only	The group name is the same as the facility name or derived from the facility name.
READ and UPDATE access	The group name for update access is derived from the facility name for UPDATE. The group name for read access is derived from the facility name with an appended R.

Facility

Group Name

READ access only

The group name is the same as the facility name or derived from the facility name.

UPDATE access only

The group name is the same as the facility name or derived from the facility name.

READ and UPDATE access

The group name for update access is derived from the facility name for UPDATE.

The group name for read access is derived from the facility name with an appended R.

You can authorize a specific user ID or group of user IDs to use a particular CA OPS/MVS command either manually or using DEFSAF. The first procedure explains how to add authorizations manually. The second procedure explains how to execute the CA OPS/MVS REXX program DEFSAF.

Follow these steps:

Look up the command or function in Commands and Functions that Generate External Security. In the row where you find your command or function, make the following notes:
- Note the associated Facility name.
- Note whether your command includes verbs that generate either READ or UPDATE access.
Find the corresponding row that matches both your Facility name and access value. In that row, make a note of the role name.
Note: If you changed the role names from the DEFSAF generated values, be sure to specify those actual role names.
Permit the user ID or role name you want to authorize to the CA ACF2 role.
Issue this CA ACF2 command to add your user IDS to the CA ACF2role:
```
ACF
  SET XREF(ROL)
  CHANGE ACF2_role_name INCLUDE(userid) ROLE ADD
```
You have manually added your authorizations.

Note: Add additional role_names instead of individual users when the role record is for a group of groups.

Follow these steps:

Look up the command or function in Commands and Functions that Generate External Security. In the row where you find your command or function, make the following notes:
- Note the associated Facility name.
- Note whether your command includes verbs that generate either READ or UPDATE access.
Find your access value and do the following tasks:
- If your access value is READ, then execute DEFSAF as follows:
```
DEFSAF <facility> ACT(PERMIT) SAFRO(<userid>)
```
- If your access value is UPDATE, then execute DEFSAF as follows:
```
DEFSAF <facility> ACT(PERMIT) SAFRW(<userid>)
```
  <facility>
  
  Specify the facility name.
  
  <userid>
  
  Specify the user ID or role name you want to authorize.
Your user IDs are authorized.

Tell Technical Publications how we can improve this information