Use CA ACF2 to Secure CA Spool

Customization › Implementing Security with SAF › How to Use External Security › Use CA ACF2 to Secure CA Spool

Use CA ACF2 to Secure CA Spool

CA SPOOL users require a valid CA ACF2 logon ID (LID) and password combination to log in to CA Spool under CA ACF2. CA ACF2 does not support the concept of INSTDATA or DATA with a LID. Therefore, no INSTDATA is associated with ACF2 LIDs.

To secure CA Spool with CA ACF2, follow this process in CA ACF2:

Perform one-time system setup tasks.
Define users according to role.

Perform One-Time System Setup Tasks

Create an ACF2 logon ID (LID) to be associated with the CA Spool address space. This LID must specify the MUSASS attribute, because CA Spool allows multiple users to be signed on to the product simultaneously.
Note: See the CA-ACF2 Administration Guide for information about the MUSASS attribute.
Assign a site-defined type code to this resource class by creating a CLASMAP record.
Note: See the CA-ACF2 Administration Guide for information about CLASMAP records.

CA-Spool issues a resource validation call for the ESF resource during login to the product. This resource is in the APPL resource class. The type code of this resource class is APP.

Use the following commands to define the APP resource:

SET C(GSO)
INSERT CLASMAP.APPL RESOURCE(APPL) RSRCTYPE(APP)

If these resource records are resident, use the following operator command to rebuild the rules:
```
F ACF2,REFRESH(INFODIR) 
```

Defining Users According to Role

Define users according to role, to grant them access rights to CA Spool resources. Repeat these steps each time that you grant a user access to CA Spool.

Create a resource rule record for adding LIDs.
Use the following sample commands as models. These commands control access to this CA-Spool resource using the default type code of APP. These commands specify users USER001 through USER005 as examples.
```
ACF
SET RESOURCE(APP)
COMPILE *
$KEY(ESF) TYPE(APP)
UID(USER001) SERVICE(READ) ALLOW
UID(USER002) SERVICE(READ) ALLOW
UID(USER003) SERVICE(READ) ALLOW
UID(USER004) SERVICE(READ) ALLOW
UID(USER005) SERVICE(READ) ALLOW
END
STORE
END
```
Rebuild the APP resource class with the recently added userids. Use the following operator command as a model:
```
F ACF2,REBUILD(APP) 
```
Define the user according to role. Use the following sample commands as models. These commands specify users USER001 through USER005 (created in the previous steps) as examples.

Sample Commands for Defining Users According to Role

The following sample CA ACF2 commands illustrate how to define users according to role with the appropriate authorizations for their type and access rights. Use the following examples as models.

Verify that the resource to which you grant access matches its appropriate SAFTYPE external entry. For a detailed explanation, see the example for the ORDINARY LID.

SUPER LID

To define the SUPER LID USER002 for use with CA-ACF2 access rule for the ESFSECU resources, use the following rule:

ACF 
SET RULE 
COMPILE
$KEY(ESFSECU) 
$OWNER(‘SUPER CA Spool LID’)
 - UID(USER002) R(A) W(A)
END
STORE
END

(Optional) To make the resource rules for the user resident, rebuild the Rule in storages. Use the following command:

F ACF2,RELOAD(ESFSECU)

ORDINARY LID

To define the LID USER001 with ordinary access to the CA Spool jobs, use the following rule:

ACF 
SET RULE 
COMPILE
$KEY(ESFSECU) 
$OWNER(‘Ordinary CA Spool LID’)
 - UID(USER001) 
NOGR%%.G0000001         UID(USER001) R(A) W(A)
FIGR%%.G0000001         UID(USER001) R(A) 
FIGR%%.G0000001.USER001 UID(USER001) R(A) W(A)
CMND                    UID(USER001) R(A) 
END
STORE
END

Each resource to which you grant access must match its appropriate SAFTYPE external entry. For example, consider this statement:

NOGR%%.G0000001         UID(USER001) R(A) W(A)

This statement matches the following SAFTYPE external entry statement:

SAFTYPE 7,'ESFSECU.NOGR&REQ(6,2).G&GRP(1,7)',EXT,NOINT

(Optional) To make the resource rules for the user resident, rebuild the Rule in storages. Use the following command:

F ACF2,RELOAD(ESFSECU)

OPERATOR LID

To define the LID USER003 with operator access to the CA Spool jobs, use the following rule:

ACF 
SET RULE 
COMPILE
$KEY(ESFSECU) 
$OWNER(‘OPERator CA Spool LID’)
 - UID(USER003) 
NOGR%%.G0000003         UID(USER003) R(A) W(A)
FIGR%%.G0000001         UID(USER003) R(A) 
FIGR%%.G0000001.USER003 UID(USER003) R(A) W(A)
CMND.REINIT             UID(USER003) 
CMND.SHUTDOWN           UID(USER003) 
CMND                    UID(USER003) R(A) 
END
STORE
END

(Optional) To make the resource rules for the user resident, rebuild the Rule in storages. Use the following command:

F ACF2,RELOAD(ESFSECU)

JUNIOR LID

To define the LID USER004 with junior access to the CA Spool jobs, use the following rule:

ACF 
SET RULE 
COMPILE
$KEY(ESFSECU) 
$OWNER(‘JUNIOR CA Spool LID’)
 - UID(USER004) 
NOGR%%.G0000001         UID(USER004) R(A) W(A)
NOGR%%.G0000002         UID(USER004) R(A) W(A)
FIGR%%.G0000001         UID(USER004) R(A) W(A)
FIGR%%.G0000001.USER004 UID(USER004) R(A) W(A)
FIGR%%.G0000002         UID(USER004) R(A) W(A)
FIGR%%.G0000002.USER004 UID(USER004) R(A) W(A)
AUTH.GLACC              UID(USER004) R(A)
AUTH.ALLGR              UID(USER004) R(A)
END
STORE
END

(Optional) To make the resource rules for the user resident, rebuild the Rule in storages. Use the following command:

F ACF2,RELOAD(ESFSECU)

TINY LID

To define the LID USER005 with tiny access to the CA Spool jobs, use the following rule:

ACF 
SET RULE 
COMPILE
$KEY(ESFSECU) 
$OWNER(‘TINY CA Spool LID’)
 - UID(USER005) 
NOGR%%.G0000003         UID(USER005) R(A) W(A)
FIGR%%.G0000001         UID(USER005) R(A) 
FIGR%%.G0000001.USER005 UID(USER005) R(A) W(A)
NONO%%.PRT1A            UID(USER005) R(A) W(A)
FINO%%.PRT1A.TINY       UID(USER005) R(A) W(A)
END
STORE
END

(Optional) To make the resource rules for the user resident, rebuild the Rule in storages. Use the following command:

F ACF2,RELOAD(ESFSECU)