Access to Resources

Resident Resource Rules

Global

ACF2 resource rules can be made globally resident using the GSO INFODIR record. INFODIR is recommended over the use of the RESDIR GSO entry. INFODIR is similar to the RACF SETROPTS RACLIST facility. Also, resource rules can be made resident via a SAF call REQ=LIST with GLOBAL=YES. (See APAR LO77348). Other types of info-storage entries are also resident, such as scopelists. Check the ACF2 documentation for more information.

Once a resource rule is resident, if changes are made to these resource, an F ACF2,REBUILD command is required to refresh the active copy of this rule.

Under some circumstances, it may be necessary to make some resource rules resident for them to work. For instance:

resource rules which make use of masking in the key fields
resource rules accessed using SAF REQUEST=FASTAUTH. Note that the ACF2 report will say "no record found" if the rule is not resident.
profile infostorage entries for Unix System Services users and groups

See the ACFRES REXX on the REXX samples page here for a diagnostic aid.

Local

ACF2 also may cache a local copy of a resource rule for a specific address space. For long-running tasks, it may also be necessary to issue F ACF2,SETNORUL to allow them to "see" the updated version of a rule. For TSO users or batch jobs, it is just as easy to re-logon or resubmit the job.

Resource Validation

SAF resource classes are mapped via CLASMAP entries to ACF2 resources. Internal CLASMAP entries are supplied by ACF2. CLASMAP GSO entries can be used to add additional entries. Usually, any unmatched entries are mapped to resource class SAF.

The processing of SAF calls is controlled by SAFDEF entries. Again, internal entries are supplied with the product. The installation can also customize SAF processing using SAFDEF GSO entries. Unlike RACF, if a resource has not been defined to ACF2, ACF2 will generally deny access to the resource unless a SAFDEF with ACTION=IGNORE applies to the SAF validation.

The ACF2 SECTRACE facility can be used to troubleshoot problems with resource validation. Another useful source of information are ACF2 SMF records. Refer to the ACF2 Reports and Utilities guide for information on analyzing these records.

Often, it is helpful to refer to both the OS/390 Security Server (RACF) documentation and the ACF2 documentation to gain a full understanding of what is going on.

ACF2 is a trademark of Computer Associates. RACF and OS/390 Security Server are trademarks of IBM Corporation.