You are on page 1of 2

ACF2 Resources http://billlalonde.tripod.com/acf2res.

htm

Ads by Google

EMC VNX Unified Storage Storage Virtualization


Simple, Efficient Unified Storage Free EMC Demo, Video, & Affordable Storage Virtualization & HA For VMware Environments
Whitepaper! StorMagic.com
www.emc.com/VNX-Unified-Storage

Access to Resources

Resident Resource Rules


Global
ACF2 resource rules can be made globally resident using the GSO INFODIR record. INFODIR is recommended
over the use of the RESDIR GSO entry. INFODIR is similar to the RACF SETROPTS RACLIST facility. Also,
resource rules can be made resident via a SAF call REQ=LIST with GLOBAL=YES. (See APAR LO77348). Other
types of info-storage entries are also resident, such as scopelists. Check the ACF2 documentation for more
information.

Once a resource rule is resident, if changes are made to these resource, an F ACF2,REBUILD command is required
to refresh the active copy of this rule.

Under some circumstances, it may be necessary to make some resource rules resident for them to work. For
instance:

resource rules which make use of masking in the key fields


resource rules accessed using SAF REQUEST=FASTAUTH. Note that the ACF2 report will say "no record
found" if the rule is not resident.
profile infostorage entries for Unix System Services users and groups

See the ACFRES REXX on the REXX samples page here for a diagnostic aid.

Local
ACF2 also may cache a local copy of a resource rule for a specific address space. For long-running tasks, it may also
be necessary to issue F ACF2,SETNORUL to allow them to "see" the updated version of a rule. For TSO users or
batch jobs, it is just as easy to re-logon or resubmit the job.

Resource Validation
SAF resource classes are mapped via CLASMAP entries to ACF2 resources. Internal CLASMAP entries are
supplied by ACF2. CLASMAP GSO entries can be used to add additional entries. Usually, any unmatched entries
are mapped to resource class SAF.

The processing of SAF calls is controlled by SAFDEF entries. Again, internal entries are supplied with the product.
The installation can also customize SAF processing using SAFDEF GSO entries. Unlike RACF, if a resource has not
been defined to ACF2, ACF2 will generally deny access to the resource unless a SAFDEF with ACTION=IGNORE
applies to the SAF validation.

The ACF2 SECTRACE facility can be used to troubleshoot problems with resource validation. Another useful
source of information are ACF2 SMF records. Refer to the ACF2 Reports and Utilities guide for information on
analyzing these records.

Often, it is helpful to refer to both the OS/390 Security Server (RACF) documentation and the ACF2 documentation

1 of 2 25/05/2011 10:12
ACF2 Resources http://billlalonde.tripod.com/acf2res.htm

to gain a full understanding of what is going on.


ACF2 is a trademark of Computer Associates. RACF and OS/390 Security Server are trademarks of IBM Corporation.

Ads by Google

Servidores HP
Servidores, partes e peças HP Dmstor Informática entre e confira!
www.dmstor.com.br

2 of 2 25/05/2011 10:12