Setting up CA-ACF2 rules

In this step, you set up the CA-ACF2 rules to interface with OMEGAMON®.

Complete these steps:
  1. Define the name of the OMEGAMON started task to ACF2. The name is the started task name you specified for the realtime collector during configuration (parameter KM2_CLASSIC_STC in the configuration file).

    The started task name must have the MUSASS attribute assigned. This allows ACF2 to check the individual user’s authorization rather than using the OMEGAMON address space ID.

  2. Set up a resource class in CA-ACF2 to allow OMEGAMON to make the security checks. Define a generalized resource class name, for example OMS. This name will be three characters long for generalized resources. When you set up the exit, you will need to use this same class name prefixed with the letter R (for example, the OMS class name needs to be ROMS in the exit).
  3. Define a CA-ACF2 rule for resource INITIALx (where x is 0, 1, 2, 3, or blank) to allow users to log on to OMEGAMON. For example, 
    ACFNRULE KEY(INITIAL) TYPE(OMS) ADD(UID(*********userid) ALLOW)
    where OMS must match the resource class name that you defined, and UID is a user ID or user ID mask.

    The resource name “INITIAL” permits users to change their security level with the /PWD command. Resource names “INITIAL0” through “INITIAL3” lock users to the highest matching security level (0, 1, 2, or 3) and prevent the users from changing level with the /PWD command (this is also referred to as locking). These security levels are used with OMEGAMON internal security to determine if a particular command is accessible to a user.

    The following example shows how to set users to specific levels: 
    
ACFNRULE KEY(INITIAL0) TYPE(OMS) ADD(UID(********USER02) ALLOW) 
ACFNRULE KEY(INITIAL1) TYPE(OMS) ADD(UID(********USER03) ALLOW) 
ACFNRULE KEY(INITIAL2) TYPE(OMS) ADD(UID(********USER04) ALLOW) 
ACFNRULE KEY(INITIAL3) TYPE(OMS) ADD(UID(********USER05) ALLOW)
  4. Set up a CA-ACF2 rule for each command you want to protect with CA-ACF2 (each protected command will also require the EXTERNAL=YES setting in the security table: see Modifying the security table for CA-ACF2).
    The following example shows how to authorize a user to execute the PEEK command (specify the command name with the KEY operand): 
    ACFNRULE KEY(PEEK) TYPE(OMS) ADD(UID(********USER01) ALLOW)
    If the command you want to secure begins with a slash (/) or period (.), the CA-ACF2 rule you define must start with a dollar sign ($) instead of the slash (/), or an "at" sign (@) instead of the period (.). For example, the command /LOGOUT requires a rule for $LOGOUT.