Are you planning to migrate to z/OS 2.5? If you answered yes, let me ask another question: do you realize that with z/OS 2.5, you cannot use System Display and Search Facility’s (SDSF) internal security? Setting up SAF external security is a requirement for SDSF in z/OS 2.5.
The SDSF utility lets security administrator monitor, control, and view the output of jobs in the system. After submitting a job, it is common to use SDSF to review the output for successful completion or to review and correct any JCL errors.
In this blog, I will discuss how can you convert SDSF ISFPARMS using internal security to ACF2 external security. SDSF interacts with Secure Access Facility (SAF) to make its initial call for external security and controls access to all SDSF resources.
The most common question that we get is: do we have an ACF2 migration utility available to convert SDSF ISFPARMS to ACF2 security directly? The answer is No.
However, with this short blog, we explain how a security administrator can convert SDSF ISFPARMS to ACF2 security:
1. Convert SDSF ISFPRMxx into RACF commands using the IBM provided ISFACR security migration REXX utility (RACF libraries are not required to use this utility).
2. Convert RACF commands to ACF2.
The Broadcom support team can provide guidance for this step.
After you identify which ISFPRMxx member SDSF is using from SYS1.PARMLIB, determine how security is set up by assessing how users/logonids are grouped and what they are authorized to do in SDSF according to this IBM documentation.
There are three ways to convert SDSF groups into ACF2 security rules using:
· ROLE based security
· UID based security
· Resource grouping based security
Let’s take an example of two sample SDSF groups ISFDBA and ISOPER from ISFPRMxx and convert these groups to ACF2 security using both ROLE and UID based sample rules:
/* Commands for GROUP profiles */
ADDGROUP ISFDBA OWNER(ISF) SUP(ISF)
ADDGROUP ISFOPER OWNER(ISF) SUP(ISF)
ROLE based security
We recommend this comparatively easier implementation method.
ISFPARMS associate logonids with a specific group like ISFDBA and ISFOPER as an example via following ISFPRMxx parameters:
|
ISFPRMxx parameter
|
Description
|
|
Name(Group-Name)
|
Group name used in SAF resource
|
|
ILPROC(NTBL-Name)
|
Includes users by logon procedure
|
|
ITNAME(NTBL-Name)
|
Includes users by terminal name
|
|
IUID(NTBL-Name)
|
Includes users by user ID
|
|
TSOAUTH(attributes)
|
Includes users by TSO authority
|
1. Create a role record X(ROL) and add all logonids associated with ISFDBA and ISFOPER group to a new role record name.
Here are sample commands to create ISFOPER and ISFDBA role records and to add logonids according to the Names Table (NTBL) and attributes from ISFPRMxx parameters:
SET X(ROL)
INSERT ISFOPER include(logonid1,logonid2...logonid3) ROLE
INSERT ISFDBA include(logonid4,logonid5...logonid6) ROLE
F ACF2,NEWXREF,TYPE(ROL)
2. Issue the following commands to list the inserted role records:
SET X(ROL)
LIST ISFOPER
LIST ISFDBA
3. Write ACF2 rules for these ROLES. We provide a sample RACF rule converted to ACF2 ROLE based rule for ISFCMD.DSP.ACTIVE.JES2 resource:
/* Commands for SDSF profiles */
PERMIT ISFCMD.DSP.ACTIVE.JES2 CLASS(SDSF) ID(ISFOPER) ACCESS(READ)
PERMIT ISFCMD.DSP.ACTIVE.JES2 CLASS(SDSF) ID(ISFDBA) ACCESS(READ)
ACF
SET RESOURCE(SDF)
RECKEY ISFCMD ADD(DSP.ACTIVE.JES2 ROLE(ISFOPER) SERVICE(READ) ALLOW)
RECKEY ISFCMD ADD(DSP.ACTIVE.JES2 ROLE(ISFDBA) SERVICE(READ) ALLOW)
F ACF2,REBUILD(SDF)
4. Issue the following commands to list the rule records:
SET R(SDF)
LIST ISFCMD
UID based security
This implementation can be slightly complicated because the correlation between ISFPRMxx groups and UID string needs to be figured out.
1. Use the same two groups ISFOPER and ISFDBA as shown above, convert them into UID based rule. You must review the UID string for ACF2 installation to verify the field definitions.
The UID string has the following fields defined as an example:
|
Field Name
|
Field Length
|
|
COMPANY
|
3
|
|
STATE
|
2
|
|
DEPT
|
5
|
|
FUNCTION CODE
|
3
|
|
logonid
|
8
|
As an example, a logonid field that is part of the UID string such as FUNCTION CODE(as shown above) where FUNCTION CODE of OPR correlates to the ISFPARMS group ISFOPER and FUNCTION CODE of DBA correlates to the ISFPARMS group ISFDBA :
OPR => ISFOPER
DBA => ISFDBA
2. Write UID string based rules for ISFCMD.DSP.ACTIVE.JES2 resource as shown below:
ACF
SET RESOURCE(SDF)
RECKEY ISFCMD ADD(DSP.ACTIVE.JES2 UID(**********OPR********) SERVICE(READ) ALLOW)
RECKEY ISFCMD ADD(DSP.ACTIVE.JES2 UID(**********DBA********) SERVICE(READ) ALLOW)
F ACF2,REBUILD(SDF)
3. Issue the following commands to list the inserted rules:
SET R(SDF)
LIST ISFCMD
Resource grouping based security
The IBM ISFACR utility creates RACF Group Profile (member class lists) for the grouping class GSDSF. The SDSF resources ISFATTR… are added to the member class lists (ATTR.CMD2-ATTR.CMD7 as an example) and ACF2 rules can be written to allow users access to the member class lists that contains a group of ISFATTR…resources.
1. Group SDSF resources. The ACF2 cross reference resource group records X(RGP) can be used to group SDSF resources similar to RACF Group Profiles as shown below in an example for ATTR.CMD2 and ATTR.CMD3:
SET X(RGP)
INSERT ATTR.CMD2 RESOURCE TYPE(SDF) INCLUDE(ISFATTR.OUTPUT.BURST, -
ISFATTR.OUTPUT.CLASS, -
ISFATTR.OUTPUT.COPYCNT)
INSERT ATTR.CMD3 RESOURCE TYPE(SDF) INCLUDE(ISFATTR.OUTPUT.BURST, -
ISFATTR.OUTPUT.CLASS, -
ISFATTR.OUTPUT.COPYCNT)
2. Issue the following commands to list the inserted resource group records:
SET R(RGP)
LIST LIKE(ATTR.-)
3. Write ACF2 resource rules for TYPE(SDF) to allow access to the resource groups ATTR.CMD2 - ATTR.CMD7 as shown below in a sample example for ATTR.CMD2 and ATTR.CMD3:
SET RESOURCE(SDF)
* Allow a single logonid access
RECKEY ATTR.CMD2 ADD( USER(user001) ALLOW)
* Allow a group of users(ROLE) access
RECKEY ATTR.CMD2 ADD( ROLE(isf1) ALLOW)
* Allow a single logonid access
RECKEY ATTR.CMD3 ADD( USER(user001) ALLOW)
* Allow a group of users(ROLE) access
RECKEY ATTR.CMD3 ADD( ROLE(isf1) ALLOW)
4. Issue the following commands to list the inserted rule records:
SET R(SDF)
LIST LIKE(ATTR.-)
SDSF External Security with ACF2 for z/OS 2.5 document explains all the steps required to enable SDSF external security.
Running into any issues? Open a new case at Broadcom support site. We will help you figure out any configuration errors in your environment and get SDSF environment fully secured with ACF2!