Version 8.1.2
 —  SAF Security Kernel  —

Security Definitions

SAF Security is implemented by defining resource classes and profiles and permitting users the necessary access to those profiles. Specific requirements for class and profile definitions and access levels are described in the individual product documentation.

This section describes in general how to define resources to RACF, CA-Top Secret and CA-ACF2.


Defining Resources to RACF

This section describes how the resources are defined to RACF. For exact details of the procedures to be followed for the installed RACF version, consult the relevant IBM manuals.

Overview of tasks

Start of instruction setTo add classes to Class Descriptor Table

  1. Add the resource classes to the RACF Class descriptor table. Refer to the IBM SPL RACF manual. For an example, see IBM SYS1.SAMPLIB, member RACINSTL.

  2. For flexibility, allocate maximum length for the classes (80).

  3. Define the classes to enable discrete and generic profile use.

  4. Check further attributes controlling the level of RACF messages generated when performing RACROUTE calls, as well as the required level of SMF recording. Sample definitions are provided in source members SAFRCLSN and SAFRCLSX.

Start of instruction setTo update the z/OS Router Table

Start of instruction setTo activate new classes

Start of instruction setTo assign user ID for the SAF Security Started Task

Start of instruction setTo permit user access to resource profiles

Top of page

Defining Resources to CA-TOP SECRET

This section describes how the resources are defined to TOP SECRET. For exact details of the procedures to be followed for the installed version of TOP SECRET, consult the relevant CA-TOP SECRET manual.

Overview of tasks

Start of instruction setTo add CA-TOP SECRET facility

Start of instruction setTo assign a user ID for the SAF Security Started Task

Start of instruction setTo add a procedure name for the SAF Security Started Task

Start of instruction setTo add resource types to Resource Definition Table

Start of instruction setTo assign ownership of resources

Start of instruction setTo permit defined resource to users

Top of page

Defining Resources to ACF2

This section describes the definition of resources to ACF2 versions 5 and 6. For details of the procedures required for the current software version, please consult the relevant ACF2 manual.

Note:
ACF2 provides insufficient return codes to determine whether a resource profile does not exist or simply the user does not have access to it. Therefore, if access is denied by ACF2, the SAF Security Kernel will always report "Access denied resource not allowed" in the error message.

Consequently the SAF Security configuration options such as BKUNI=Y to allow access to undefined resources are not applicable where ACF2 is used.

Start of instruction setTo define resources to ACF2 version 5

  1. The SAF Security Kernel executes as a normal started task in z/OS. Define the user ID of the server task to ACF2 with the following attributes:

    MUSASS,NON-CNCL,STC

    To avoid the NON-CNCL attribute, APAR TW95626 must be applied.

  2. Activate the SAF Interface using the command:

    GSO OPTS -  SAF
  3. Switch off all SAF checks by inserting the SAFSAVE record as follows:

    SAFSAVE CLASSES(-) CNTLPTS(-) SUBSYS(-)
  4. Switch on the SAF security checks for the SAF Security Kernel by inserting the SAFPROT record as follows:

    CLASSES(-) CNTLPTS(-) SUBSYS(ADARUN)
  5. For the general resource class name used by SAF Security product options, define a 3-character ACF2 resource type code by inserting a SAFMAPS record as follows:

    SAFMAPS MAPS(NBK/NBKSAG)
  6. Define the required resource profiles to ACF2 using the new type code.

    The following example shows the addition of a Broker service etb.policy.quote1, allowing READ access for USER2:

    $KEY(ETB.POLICY.QUOTE1) TYPE(NBK) UID(user2) ALLOW SERVICE(READ)

Start of instruction setTo define resources to ACF2 version 6 and above

  1. The SAF Security Kernel executes as a normal started task in z/OS. Define the user ID of the server task to ACF2 with the following attributes:

    MUSASS,STC

    ACF2 version 6.1 and 6.2 no longer require TW95626,as these versions are more SAF-compliant.

  2. Insert SAFDEF records as follows:

    SAFDEF.EXS1
    FUNCRET(4) FUNCRSN(0) ID(ENTIREX) MODE(GLOBAL)
    RACROUTE(REQUEST=VERIFY SUBSYS=ADARUN REQSTOR=-)
    RETCODE(4)
    SAFDEF.EXS2
    FUNCRET(4) FUNCRSN(0) ID(ENTIREX) MODE(GLOBAL)
    RACROUTE(REQUEST=AUTH SUBSYS=ADARUN REQSTOR=-)
    RETCODE(4)
    SAFDEF.EXS3
    FUNCRET(4) FUNCRSN(0) ID(ENTIREX) MODE(GLOBAL)
    RACROUTE(REQUEST=EXTRACT SUBSYS=ADARUN REQSTOR=-)
    RETCODE(4)
  3. For the general resource class names used by SAF Security product options, define a 3-character ACF2 resource type code by inserting a CLASMAP record as follows:

    CLASMAP
    ENTITYLN(0) MUSID() RESOURCE(NBKSAG) RSRCTYPE(NBK)
  4. Define the required security profiles to ACF2 using the new type code. The following example shows the addition of a Broker service etb.policy.quote1, allowing READ access only for user ID user2:

    $KEY(ETB) TYPE(NBK)
    POLICY.QUOTE1 UID(user2) SERVICE(READ)   ALLOW
    POLICY.QUOTE1 UID(-)                     PREVENT  
    
    

Top of page