Modifying ACF2 security rules

You must modify the ACF2 security rules to interface with the Classic Interface.

About this task

To modify ACF2 security rules, do the following:

Procedure

  1. If you run the Classic Interface in VTAM® mode, define the name of its started task to ACF2.

    The started task name that you use for the Classic Interface in VTAM mode should have the MUSASS attribute assigned. This allows ACF2 to check the individual user authorization rather than using the address space ID of the Classic Interface. If STC(NO) is specified, you must run the Classic Interface in batch mode with a job name that has the MUSASS attribute.

  2. To set up a resource class for ACF2, define a generalized resource class name, for example, O2S.

    Requirement: It must be the same name that you use when you define the resource class in the security exit routine.

    For generalized resources, the name consists of three characters but gets the letter R as prefix within the security exit.

    This allows the Classic Interface to make security checks.

  3. Define an ACF2 rule for resource INITIAL.

    This allows VTAM users to log on to the Classic Interface as in the following example:

    ACFNRULE KEY(INITIAL) TYPE(O2S) ADD(UID(****************uid) ALLOW)

    Requirement: O2S must be identical to the resource class name that you define in the security exit routine.

    uid is a user ID or a user ID mask. If you want to restrict the use of the /PWD command, refer to Optional Classic User Interface external security features.

  4. Define resource rules for the command that you want to protect by using the KEY operand of the ACF2 rule compiler.

    This authorizes a user to execute the PEEK command with ACF2 as in the following example:

    ACFNRULE KEY(PEEK) TYPE(O2S) ADD(UID(****************USER01) ALLOW)

    For information about the format of the string, ask your security administrator.

  5. Include the ACF2 macro library and the IBM® macro library &thilev.TKANMAC in the assembly of the security exit routine.

What to do next

Important: When you authorize commands, the Classic Interface modifies the command name. For example, it makes the following replacements:
  • It replaces the slash of the INFO-line commands with a dollar sign. For example, /ccccc becomes $ccccc and /LOGOUT is defined to ACF2 as $LOGOUT in CLASS(cccccccc).
  • It replaces the period of the immediate commands with @. For example, .cccc becomes @cccc.