Implementing External Security with CA ACF2 › Create Access Permissions with CA ACF2

Create Access Permissions with CA ACF2

Connecting or permitting site-defined user names authorizes them to the groups or profiles that either you or DEFSAF defined. Execute the REXX DEFSAF utility to define the resource names and groups. Execute DEFSAF again to add user names to those groups.

Use CA ACF2 to create access permissions. You can perform these steps in any order.

Note: The DEFSAF commands provided in the following steps default the BATCH option to YES, which generates member PERACF2 in opqhlq.OPSx.DEFSAF. Send this member to your security administrator to run the CA ACF2 commands in the member from an authorized user ID. If you specify BATCH(N) on DEFSAF, the commands are issued directly. In this mode, the running user ID requires the CA ACF2 authorities to execute successfully.

Follow these steps:

1. Execute the following command to provide the OPSUSER with READ access to all CA OPS/MVS protected resources:

   ISPF EDIT on member DEFSAF in opshlq.CCLXEXEC
   !OI ALL ACT(PERMIT) SAFRO(OPSUSER)
   

   or

   !OX ‘opshlq.CCLXEXEC(DEFSAF)’ ALL ACT(PERMIT) SAFRO(OPSUSER)
   

2. Execute the following command to provide the OPSOPER with UPDATE access to all CA OPS/MVS protected resources:

   ISPF EDIT on member DEFSAF in opshlq.CCLXEXEC
   !OI OPSAOF ACT(PERMIT) SAFRW(OPSOPER)
   

   or

   !OX ‘opshlq.CCLXEXEC(DEFSAF)’ OPSAOF ACT(PERMIT) SAFRW(OPSOPER)
   

3. Execute the following command to provide OPSSQL1 with READ access to all SQL commands:

   ISPF EDIT on member DEFSAF in opshlq.CCLXEXEC
   !OI OPSSQL ACT(PERMIT) SAFRO(OPSSQL1)
   

   or

   !OX ‘opshlq.CCLXEXEC(DEFSAF)’ OPSSQL ACT(PERMIT) SAFRO(OPSSQL1)
   

   Note: The BATCH(Y) option generates the member in opqhlq.OPSx.DEFSAF named PERACF2. Send this member to your security administrator to run the CA ACF2 commands in the member from an authorized user ID. If the user ID where you run the DEFSAF command has sufficient authority, specify BATCH(N) and then issue the commands directly from DEFSAF.

4. Execute OPSSQL1 either with or without GROUPS as follows:
   • Execute OPSSQL1 with GROUPS(Y) and with UPDATE access to all aspects of SQL commands:

     ISPF EDIT on member DEFSAF in opshlq.CCLXEXEC
     !OI OPSSQL ACT(PERMIT) SAFRW(OPSSQL1) GROUPS(Y)
     

     or

     !OX ‘opshlq.CCLXEXEC(DEFSAF)’ OPSSQL ACT(PERMIT) SAFRW(OPSSQL1) GROUPS(Y)
     

   • Execute OPSSQL1 with GROUPS(N) to permit the same access without using groups:

     TSO OX 'opshlq.CCLXEXEC(DEFSAF)' OPSSQL ACT(PERMIT) SAFRO(OPSSQL1) GROUPS(N)
     ISPF EDIT on member DEFSAF in opshlq.CCLXEXEC
     !OI OPSSQL ACT(PERMIT) SAFRO(OPSSQL1) GROUPS(N)
     

     or

     !OX ‘opshlq.CCLXEXEC(DEFSAF)’ OPSSQL ACT(PERMIT) SAFRO(OPSSQL1) GROUPS(N)
     

5. If you did not use DEFSAF, provide OPSSQL1 with READ access to all SQL commands by issuing the following sample CA ACF2 commands:

   SET RES(FAC)
    RECKEY OP$MVS ADD(SQL.- USER(OPSSQL1) SERVICE(READ) ALLOW)
    STORE
   

You have created your access permissions with CA ACF2.