Defining CA ACF2 access rules

Whenever the access filter is enabled, Strobe passes the resource rules to CA ACF2. Therefore, if you have enabled the access filter, you must define rules to CA ACF2. If you have not defined the rules, CA ACF2 allows Strobe users to measure only those jobs that begin with their user ID.

Two different CA ACF2 Releases can have common syntax for defining the resource rules, but different procedures for defining resource types. For additional information, refer to the CA ACF2 Administrator Guide.

Warning

You must always define the Strobe session manager to CA ACF2 as a Multi User Single Address Space System (MUSASS). If AutoStrobe is enabled, you must define started task STRMSAS as an ACF2 logon ID.

Complete the following steps to define a resource type.

Task 3.7.1: Define a Resource Type for CA ACF2

1.Add the following CLASMAP control record:

SET CONTROL(GSO)
INSERT CLASMAP RSRCTYPE(STR) RESOURCE(STROBE)
INSERT CLASMAP RSRCTYPE(STR) RESOURCE(STROBE)

Tip

With Release 17.02 and later, you can specify a user-defined resource name. See SECURITY_CLASS= for more information.

CHANGE INFODIR TYPES(D-RSTR)SET CONTROL(GSO)2.Add the following INFODIR record:

3.Issue the following command to refresh modified GSO records:

F ACF2,REFRESH(CLASMMAP,INFODIR)

4.Issue the following command to rebuild the resident directory:

F ACF2,REBUILD(STR),CLASS(R)

Task 3.7.2: Define CA ACF2 Resource Rules

The following commands define the resource rules for access to Strobe. Use the values in $KEY Keywords for command variables. Enter the commands on the command line in a TSO session.

1.Set the resource type to STR with the following command:

SET RESOURCE(STR)

2.Use the $KEY command to specify user access to target jobs of identified types on identified systems. Repeat this step until all Strobe users have access to the appropriate jobs.

$KEY($STROBE.sysid.jobtype.jobnamemask) UID(userid|grp) TYPE(STR) SERVICE(READ)

3.Use the $KEY command to specify MANAGER and ADMIN profiles. Repeat this step for all user who require access to Strobe administrative functions.

$KEY($STROBE.authtype) UID(userid|grp) TYPE(STR) SERVICE(READ)

$KEY Keywords

Keyword	Function
sysid	Identify the MVS system name as specified in the IEASYSxx member of SYS1.PARMLIB.
jobtype	Specify the type of target address space (job for batch job, stc for started tasks, tsu for TSO user IDs, appc for advanced program-to-program communication, omvs for OpenEdition).
jobname	Identify the Job name or set of job names with a common prefix of targets to which CA ACF2 allows access. Use an asterisk () after the prefix to Identify names with a common prefix. For example: MEASURE1 specifies access only to the job name MEASURE1. M specifies access to all jobs whose job names begin with M.
userid	Specify the user ID of the submitter of the request.
grp	Identify the group to which the user ID of the request submitter is defined.
authtype	Indicate the authorization type (ADMIN or MANAGER) for access to Strobe management functions.

Task 3.7.3: Initialize the CA ACF2 Examples

The following CA ACF2 examples assume that you have defined a resource type of STR with a SUBSYS name of Strobe, as detailed above.

Example 1: Access to a Specific System

The following commands give access to all address spaces running on system SYSA to users with IDs that begin with STR:

SET RESOURCE(STR)
$KEY($STROBE.SYSA.*) UID(STR-----) TYPE(STR) SERVICE(READ)

Example 2: Access to a Set of Jobs

The following commands give the user IDs JMARTIN and ANDERSON access to all batch jobs on system SYSB whose job names begin with RED.

$KEY($STROBE.SYSB.JOB.RED*****) UID(JMARTIN) TYPE(STR)SERVICE(READ)
$KEY($STROBE.SYSB.JOB.RED*****) UID(ANDERSON) TYPE(STR)SERVICE(READ)

Example 3: Privileged Access to Session Manager

The following commands authorize the user ID SANDY to start Strobe from a batch job and the user ID COUGHLIN to maintain Strobe.

$KEY($STROBE.MANAGER) UID(SANDY) TYPE(STR) SERVICE(READ)
$KEY($STROBE.ADMIN) UID(COUGHLIN) TYPE(STR) SERVICE(READ)