SAF Resource Classes (CLASMAP)
The CLASMAP record translates eight-character resource classes into three-byte acf resource type codes. The three-character resource type code lets you write resource rules to validate security calls for the specified classes. acf checks the CLASMAP record for this type code for all SAF, #SECUR, CAISSF, HLI, and user SVCA calls that set ACG8RTYP and ACG8CRTF.
The CLASMAP record translates eight-character resource classes into three-byte
CA ACF2resource type codes. The three-character resource type code lets you write resource rules to validate security calls for the specified classes.
CA ACF2checks the CLASMAP record for this type code for all SAF, #SECUR, CAISSF, HLI, and user SVCA calls that set ACG8RTYP and ACG8CRTF.
For a list of IBM-supplied SAF resource classes, see IBM-Supplied Resource Classes.
The following lists the record format and field descriptions for CLASMAP:
CLASMAPqualENTITYLN(0|entitylength) LOG|NOLOGMIXED|NOMIXEDMUSID(musassid|********) POSIT(positvalue) PROFINT|NOPROFINTRESOURCE(class) RSRCTYPE(typecode) SIGNAL|NOSIGNAL
- ENTITYLN(0|entitylength)Specifies the entity length of the specified SAF class. If ENTITYLN is zero, CA-ACF2 checks for a matching internal CLASMAP and assign the length from the internal CLASMAP. If no matching internal CLASMAP exists, then CA-ACF2 assigns a length of 39, the IBM default.
- LOG|NOLOGSpecifies whetherCA ACF2overrides the LOG parameter on a matching RACROUTE AUTH or FASTAUTH call and treats it as LOG=ASIS. This field allows logging to SMF a violation that is not normally logged because the RACROUTE AUTH or FASTAUTH call specified LOG=NONE or LOG=NOFAIL or LOG=NOSTAT. NOLOG is the default. Note that LOG|NOLOG in the CLASMAP does not affect RACROUTE AUTH or FASTAUTH calls that are logged. NOLOG does not prevent loggings.If the value of this field is null or defaulted, it is not displayed when the CLASMAP record is displayed.
- MIXED|NOMIXEDIndicates whetherCA ACF2accepts all input of resource names as mixed case. When MIXED is chosen, the inserted CLASMAP must be made active using the ACF2 REFRESH command before any subsequent administration commands can be issued for this resource class.If the value of this field is null or defaulted, it is not displayed when the CLASMAP record is displayed.
- MUSID(Identifies the MUSASS to which the CLASMAP record applies. This field lets several MUSASSs that share the resource class use a different type code. Normalmusassid|********)CA ACF2resource name masking conventions apply.
- POSIT(positvalue)Specifies the bit value that is checked in a bit table to determine whether a class is active in cases when a RACROUTE call is not issued. Valid values reserved to customer defined resource class are: 19-56 and 128-527. Valid values reserved to IBM defined resource class are 0-18, 57-127 and 528-1023. The POSIT values for the IBM classes are automatically assigned and does not need to be coded. When coded, it must match the IBM assigned value. Coding POSIT() is however allowed and the IBM defined value is substituted.For a complete list of IBM resource class and assigned POSIT value, see the IBM publication z/OS Security Server RACROUTE Macro Reference.If the value of this field is null or defaulted, it will not be displayed when the CLASMAP record is displayed.
- PROFINT|NOPROFINTSpecifies whether the profile interpreter should be invoked for the profile record that is associated with this class. NOPROFINT is the default.If the value of this field is null or defaulted, it is not displayed when the CLASMAP record is displayed.
- RESOURCE(class)Specifies the explicit eight-character resource class from the CLASS keyword on the RACROUTE macro. RESOURCE can also define the resource class that is defined toCA ACF2by CAISSF. NormalCA ACF2resource name masking conventions apply.
- RSRCTYPE(typecode)Specifies the explicit three-character resource type code that is associated with the class. If you define a RESOURCE but do not define a RSRCTYPE,CA ACF2uses the first three characters of the RESOURCE as the RSRCTYPE. Use this type code to write resource rules to perform validation. This value cannot be a mask. If you want to mask the name of the resource in your resource rule key, add this type code to the GSO RESDIR or INFODIR record and perform a rebuild. For more information, see Resource Rules.
- SIGNAL|NOSIGNALSpecifies whetherCA ACF2should issue an ENF 62 signal after the class definition is rebuilt using the F ACF2,REBUILD operator command. NOSIGNAL is the default. Applications may listen for this signal and may react accordingly when notified that the class table has been rebuilt.
Creating Multiple GSO CLASMAP Records
If you need more than one CLASMAP record, append a qualifier to the record name in the format CLASMAP
qualto generate a unique record ID (for example, CLASMAPVMAN or CLASMAP.DATASET). This optional qualifier can be up to nine characters, and must immediately follow the characters CLASMAP. If you use a period (.) as part of the qualifier string for the record name, CA ACF2 counts it as one of the nine characters.
Displaying GSO CLASMAP Records
The SHOW CLASMAP subcommand of the ACF command displays the internal definitions (
CA ACF2defined) and external definitions (site-defined) of SAF calls that are being translated in one merged table. There are no GSO CLASMAP records for the internal CLASMAPs. Note in the following example that an external CLASMAP appears in the output before an internal CLASMAP with the same resource class. Assuming the MUSASS ID is the same, the first occurrence of a resource class is the one that is used.
show clasmap -- MERGED CLASMAP DEFINITIONS -- MUSASS RESOURCE TYPE ENTITY PROFINT LOG MIXED EXTERNAL POSIT SIGNL ID CLASS CODE LENGTH VALUE ======== ======== === ====== ======= === ===== ======== ===== ===== ******** AC#CMD SAF 8 ******** ACAPPL ACA 39 ******** ACCBPROC ACC 39 ******** ACCTNUM SAF 39 126 ******** ACDIALOG ACD 39 ******** ACF2PVIO PVO 39 ******** ACICSPCT SAF 13 5 ******** ACLIST ACL 39 ******** ACMSG ACM 39 ******** ACPANEL ACP 39 ******** ACREPORT ACR 39 ******** ACSQL ACS 39 ******** AIMS SAF 8 4 ******** ALCSAUTH SAF 62 548 ******** APPCLU ALU 35 PROF 118 ******** APPCPORT SAF 8 87 ******** APPCSERV SAF 73 84 ******** APPCSI SAF 26 88 ******** APPCTP SAF 82 89 ******** APPL APL 8 EXT 3 ******** APPL SAF 8 3 ******** BCICSPCT SAF 13 5 ******** CA$SIRPT ZSI 246 EXT ******** [email protected] BES 150 ******** CAADMIN CAA 39 ******** CACCFDSN CFD 39 ******** CACCFMEM CFM 39 ******** CACEM CEM 246 ******** CACHECLS SAF 16 569 ******** CACMD CAC 39 ***
Using CLASMAP Records to Validate SAF RACROUTE Calls
SAF RACROUTE calls for the DATASET, TAPEVOL, and DASDVOL classes are not translated into
CA ACF2resource validations. For these three classes, a SAF call for REQUEST=AUTH is translated into a dataset validation. No CLASMAP is required. A SAF call for REQUEST=FASTAUTH or REQUEST=LIST is ignored.
SAF RACROUTE calls for any other class are translated into
CA ACF2resource validations and a CLASMAP is recommended. For REQUEST=FASTAUTH the resource validation is done without the issuance of an SVC call. Type codes must be placed in a resource rule directory and the rules must be made resident for FASTAUTH calls to process correctly. For REQUEST=LIST a directory build is initiated. The type codes for these resources must be defined in a GSO RESDIR or INFODIR record.