Using SAF to control group membership

When using SAF to define who belongs to an ISFPARMS group, you:

Assign a name to each group, as follows:
- With a GROUP statement, using the NAME parameter.
- With an ISFGRP macro, using the macro label. The label must start in column 1 and be 1-8 characters. It must conform to standard assembler language programming conventions and be unique within ISFPARMS.
Define SAF profiles GROUP.group-name.server-name, in the SDSF class, and permit users to them as appropriate. For more information, see Membership in groups.

SDSF works through the groups in ISFPARMS, checking for READ access to the SAF resource GROUP.group-name.server-name in the SDSF class. (If the SDSF client is not connected to the SDSF server, server-name is blank.) If the user is authorized to the group through the SAF profile, then the user is assigned to the group, regardless of whether he may be authorized to groups that occur later in ISFPARMS. If the user is not authorized to the group through the SAF profile, SDSF goes on to the next group.

In a JES2 environment, if SAF cannot make a decision because the SDSF class is inactive or the profile is not defined, SDSF reverts to ISFPARMS to determine membership in the group. In a JES3 environment, SAF fails the request.

If you do not assign a name to a group, SDSF generates one: ISF plus the index value of the group, in the format ISFnnnnn. However, because this name will change when you add or subtract groups from ISFPARMS, it is not suitable for use with SAF. To avoid conflicts with the SDSF-generated names, you should not assign names in the format ISFnnnnn.

The ISFPARMS and statements shipped with SDSF use the following names:

ISFSPROG for group 1
ISFOPER for group 2
ISFUSER for group 3

If you do not want SAF checking to occur, you can write a user exit using the pre-SAF exit point. See Using installation exit routines.