Access to Resources
Once a resource rule is resident, if changes are made to these resource, an F ACF2,REBUILD command is required to refresh the active copy of this rule.
Under some circumstances, it may be necessary to make some resource rules resident for them to work. For instance:
ACF2 also may cache a local copy of a resource rule for a specific address space. For long-running tasks, it may also be necessary to issue F ACF2,SETNORUL to allow them to "see" the updated version of a rule. For TSO users or batch jobs, it is just as easy to re-logon or resubmit the job.
The processing of SAF calls is controlled by SAFDEF entries. Again, internal entries are supplied with the product. The installation can also customize SAF processing using SAFDEF GSO entries. Unlike RACF, if a resource has not been defined to ACF2, ACF2 will generally deny access to the resource unless a SAFDEF with ACTION=IGNORE applies to the SAF validation.
The ACF2 SECTRACE facility can be used to troubleshoot problems with resource validation. Another useful source of information are ACF2 SMF records. Refer to the ACF2 Reports and Utilities guide for information on analyzing these records.
Often, it is helpful to refer to both the OS/390 Security Server (RACF) documentation and the ACF2 documentation to gain a full understanding of what is going on.
ACF2 is a trademark of Computer Associates. RACF and OS/390 Security Server are trademarks of IBM Corporation.