Security › External Security › Implementing External Security for CA ACF2 › Steps for Converting the CA ACF2 View Access Rule into CA ACF2 View Resource Rule

Steps for Converting the CA ACF2 View Access Rule into CA ACF2 View Resource Rule

Starting with CA View Release 11 SAF calls are used to protect CA View resources through external security. Therefore, the CA ACF2 Data Set Access rules that protected these resources in previous releases must be converted to the CA ACF2 Resource Rule.

Note: For more information about implementing this procedure, see the CA ACF2 security section in this chapter.

Use the following guidelines to convert the CA View data set rule into a CA View resource rule.

1. Issue the following command to decompile the existing CA View access rule into a PDS.

   READY
   DECOMP view-rule into(rule.pds)
   

2. Edit the rule.pds member using any valid utility such as ISPF EDIT to ensure the following rule changes:
   1. Change the record from an access rule to a resource rule.
   2. Convert all access rule lines to include a resource rule SERVICE option and an ALLOW permission and remove the '.$' character string from any rule line.
   3. Add new resource rules for resources that were not a part of previous releases of CA View.
3. Implement the rule changes in Step 2 as follows:
   • Change the $KEY from an access rule to a resource rule by adding the CA View type code to the $KEY statement. The following example shows how to make this change:

     Existing access rule key name shows (by default the VIEW index parameter is set to VIEW):

     $KEY(VIEW)
     

   • Convert this access rule key into a resource key by adding the CA View resource type code to the $KEY statement.

     $KEY(VIEW) TYPE(VCL)
     

     Note: The CA View Security documentation explains how to:

     • Define the type code for CA View
     • Define an alternate high-level index value if you do not want to use 'VIEW'.
   • Change each of the access rules in the member to reflect a resource rule SERVICE option and a valid permission. Remove the '.$' character string from all existing rules. The following example shows how to make this change:

   Access rule line shows:

   REPORTX UID (….) R(A)
   PRODJOBR.$275  UID(....) W(A)
   

   Change the rules to reflect a SERVICE option with permission of ALLOW and to remove the '.$' character string:

   REPORTX UID (....) SERVICE (READ) ALLOW
   PRODJOBR275 UID (...) SERVICE (UPDATE) ALLOW
   

   • Add additional rules for new resources. This chapter documents the new resource names included in this level of CA View. The following example shows how to add these additional resource rules:

     BANR/access level is read
     PANL/access level is read          
     

     Rule lines reflecting the above resource and access level:

     BANR UID(….) SERVICE(READ) ALLOW
     PANL UID(….) SERVICE(READ) ALLOW
     

4. After the PDS member is changed, compile and store the new resource rule. Use the following CA ACF2 commands to accomplish this step:

   READY
   SET RESOURCE(VCL)
   COMPILE 'RULE.PDS'
   

5. Test the resulting resource rule using the CA ACF2 resource rule test command.

   Note: For more information about how to test the resource rule, see the CA ACF2 Administration Guide.

6. The CA View resource rule should be defined as a resident rule. The CA View Security documentation shows all the commands needed to define the rule as a resident directory.