Data Set Class

Customization › Implementing Security with SAF › Data Set Class

Data Set Class

If the data set class is used, it is not necessary to define any new resource classes to the external security system. Since the RACROUTE macro is used, all security checks go through the System Authorization Facility. This is why this CA Spool security method is called SAF, instead of using the name of a specific security product.

The definitions in the external security system are made in the same way as real data sets when the data set class is used. If RACF is used, this means using ADDSD and PERMIT commands. If a user must have access to similarly‑named resources, generic data set names are used.

If RACF or CA ACF2 is used as the external security package and a large number is specified for the DYNUSER parameter and CLASS=DATASET is specified on the SAFDEF statement, the use of LSQA could become excessive.

Be aware of the following:

A RACROUTE REQUEST=AUTH for CLASS=DATASET sent to RACF causes all profile names with that high-level qualifier to be read into Subpool 225.
The same request to CA ACF2 6.1 causes a rule of up to 4 KB to be read into Subpool 255. In CA ACF2 6.2, that rule is 32 KB.
If DYNUSER is set to a high value in either environment, the storage use continues to grow until the DYNUSER value is reached.

We recommend that you specify DYNUSER as less than 100 or use a class other than DATASET for CA Spool security definitions.

For CA ACF2, if an INFODIR is specified, a directory with all of the rules for that resource type (class) is built in ECSA.

For RACF, a RACLIST'ed general resource class causes a copy of the profile names with the access list to be built in ECSA.