Controlling Access to the Hierarchical File System › CA SAF HFS Security

CA SAF HFS Security

CA SAF HFS security is an application of CAIENF/USS. This security application is activated when the appropriate DCM modules are linked into the ENF database.

The process to implement CA SAF HFS security is:

• Determine if exit processing is required for path name translation, user path definition, or to enable file ownership.
• If using the exit, assemble and link the exit code using the sample SMPE usermod in OPMAT member UD00001.
• Define HFS file and function resource authorizations.

  CA recommends that all the function resources described in the previous sections be defined. Use the CA SAF HFS ADD/PERMIT Generation Utility to assist in creating these resource rules.

• If you utilize the user file ownership feature of CA SAF HFS security define authorizations for users.
• Verify that the proper level of CAIENF is available to support ENF/USS.

  CA Common Services for z/OS with the following APARs provides this support: LO89578 through LO89581, LO89584, LO92642, and LO94652, and LO94657.

• The ENF started task must be a valid OMVS user. Ensure the ENF ACID specifies a group. Install the following DCM modules into the ENF database using the ENFDB utility program: CARRDCM0 (Framework) and J163DCM0(CA Top Secret).
• Defining a VLF class for use as a cache can enhance performance of ENF/USS. The cache size is determined by the MAXVIRT specification. The number of cache entries is approximated by dividing the defined amount of VLF storage by the average size of your path names. Add the following to your current COFVLFxx member in SYS1.PARMLIB:

  CLASS NAME(CAENFU)      /* ENF/USS pathname cache */
        EMAJ(PATHCACHE)   /* Major name             */
        MAXVIRT(256)      /* 1 megabyte             */ 
  

  Adding the NODSNCHK attribute to the BPXOINIT logonid during initial testing allows OMVS to successfully initialize without violations. Once appropriate authorizations are in place, the NODSNCHK attribute should be removed.

  The following message is issued by CAIENF/USS at ENF startup when CA SAF HFS security is successfully initialized:

  CARR036I ‑ SAFHFINT / J163 Now Initialized
  

• Set the CA Top Secret Control Option HFSSEC to ON: HFSSEC(ON)
• Run TSSUTIL during the implementation phase. Review violations and loggings for HFSSEC and IBMFAC resource types and create appropriate authorizations.