IBM RACF to CA ACF2 Translation

Many applications and products describe the setup for external security in IBM RACF terms. This appendix describes IBM RACF terminology so that an CA ACF2 administrator can create the necessary CA ACF2 records.
acf2src
Many applications and products describe the setup for external security in IBM RACF terms. This appendix describes IBM RACF terminology so that an CA ACF2 administrator can create the necessary CA ACF2 records.
2
2
For information about a particular product not covered here, contact CA ACF2 Level 1 Technical Support.
IBM RACF Segments and CA ACF2 Profiles
User related information is stored by IBM RACF in various database segments. CA ACF2 accomplishes this using the LOGONID and PROFILE records. The following table lists the IBM RACF segments and where the corresponding information is stored in CA ACF2.
LOGONID indicates that the information is stored in the logonid record. PROFILE indicates that the information is in a separate profile record. PROFILE* indicates that the information is in a separate profile record, but that optional default data is stored in an Information Storage record pointed to by the SMSINFO field in the logonid record.
IBM RACF Segment
CA ACF2
Equivalent
Profile Name
Segment
CATEGORY
PROFILE
SECLABEL
CATEGORY
CERTDATA
PROFILE
USER
CERTDATA
DCE
PROFILE
USER
DCE
DFP
PROFILE*
DATASET
DFP
DLFDATA
PROFILE
DLFCLASS
DLFDATA
CICS
LOGONID or PROFILE
USER
CICS
KEYSMSTR
PROFILE
KEYSMSTR
SSIGNON
LANGUAGE
PROFILE
USER
LANGUAGE
NETVIEW
PROFILE
USER
NETVIEW
OMVS
PROFILE
USER
GROUP
OMVS
OMVS
OPERPARM
PROFILE
USER
OPERPARM
SECLEVEL
PROFILE
SECLABEL
SECLEVEL
SECLABEL
PROFILE
USER or SECLABEL
SECLABEL
SESSION
PROFILE
APPCLU
SESSION
TSO
LOGONID
BASE
LOGONID
WORKATTR
PROFILE
USER
WORKATTR
BASE and TSO Segment Considerations
This section describes the BASE and TSO segments. The data for fields in these segments is in the CA ACF2 logonid record.
The tables in the following sections identify fields in the IBM RACF BASE and TSO segments that have identical CA ACF2 logonid fields. The comments section identifies how the field can be used with the RACROUTE REQUEST=EXTRACT SAF call.
  • By saying that a field is extractable, this means that it can be extracted via a RACROUTE REQUEST=EXTRACT,TYPE=EXTRACT (or EXTRACTN) SAF call.
  • By saying that a field is replaceable, this means that it can be replaced by a RACROUTE REQUEST=EXTRACT,TYPE=REPLACE SAF call.
When using the SAF RACROUTE REQUEST=EXTRACT mechanism, you must see fields according to their name in the IBM RACF database, 
not 
the corresponding CA ACF2 name. This distinction becomes important when you use the SAF RACROUTE REQUEST=EXTRACT facility to obtain from and alter data in the BASE and TSO user profile segments.
Not all RACF database fields in the BASE and TSO segments have equivalent fields in the logonid record. Some fields are RACF-specific and simply do not pertain to CA ACF2. Other fields are implemented differently under CA-ACF2 and cannot be queried and/or administrated by the SAF RACROUTE REQUEST=EXTRACT facility. For example, the RACF MAGSTRIP field provides Operator ID (OID) support during signon processing. CA ACF2 provides similar, but not identical functionality with Extended User Authentication (EUA). The CA ACF2 EUA implementation is superior because it provides more functionality, and it provides greater administrative flexibility.
Base Segment Fields
The following table identifies IBM RACF BASE segment fields that have equivalent logonid fields.
IBM RACF Field Name
CA ACF2
Equivalent
Comments
PASSINT
MAXDAYS
CA ACF2 supports both extract and replace.
PASSWORD
PASSWORD
CA ACF2 supports only for extract.
PASSDATE
PSWD-TOD
CA ACF2 supports only for extract.
PGMRNAME
NAME
CA ACF2 supports both extract and replace.
DFLTGRP
GROUP
CA ACF2 supports both extract and replace.
LJTIME
ACC-TIME
CA ACF2 supports only for extract.
LJDATE
ACC-DATE
CA ACF2 supports only for extract.
REVOKECT
PSWD-INV
CA ACF2 supports only for extract.
does not support any of the IBM RACF combination fields in the BASE user segment.
TSO Segment Fields
The following table identifies IBM RACF TSO segment fields having equivalent logonid fields.
RACF Field Name
CA ACF2
Equivalent
Comments
TACCNT
TSOACCT
CA ACF2 supports both extract and replace.
TDEST
DFT-DEST
CA ACF2 supports both extract and replace.
THCLASS
DFT-SUBH
CA ACF2 supports both extract and replace.
TJCLASS
DFT-SUBC
CA ACF2 supports both extract and replace.
TLPROC
TSOPROC
CA ACF2 supports both extract and replace.
TLSIZE
TSORGN
CA ACF2 supports both extract and replace.
TMCLASS
DFT-SUBM
CA ACF2 supports both extract and replace.
TMSIZE
TSOSIZE
CA ACF2 supports both extract and replace.
TOPTION
LIDTFLG2
CA ACF2 supports only for extract.
TPERFORM
TSOPERF
CA ACF2 supports both extract and replace.
TRBA
TSORBA
CA ACF2 supports both extract and replace.
TSCLASS
DFT-SOUT
CA ACF2 supports both extract and replace.
TUNIT
TSOUNIT
CA ACF2 supports both extract and replace.
TUPT
Various fields mapped to the User Profile Table (UPT) from IBM macro IKJUPT in SYS1.MACLIB
CA-ACF2 supports only for extract and replace.
However, CA ACF2 only replaces the following fields within the UPT as these are the only fields that map to any ACF2 LID fields:
UPTSWS flag
  • UPTRCVR (X'80') RECOVER LID flag
  • UPTNPRM (X'40) PROMPT LID flag
  • UPTMID (X'20') MSGID LID flag
  • UPTNCOM (X'10') INTERCOM LID flag
  • UPTPAUS (X'08') PAUSE LID flag
  • UPTMODE (X'02) MODE LID flag
  • UPTWTP (X'01') WTP LID flag
UPTCDEL CHAR LID field
UPTLDEL LINE LID field
UPTPREFX DFT-PFX field
UPTPREF8 DFT-PFX8 field
IBM RACF Attribute Translation
CA ACF2 does not support any of the IBM RACF combination fields in the BASE user segment.
Program Control (PADS)
IBM RACF Program Control allows for the definition of an exact program and library environment. A similar function exists in CA ACF2 called program pathing. This feature is used in data set access rules to specify the exact path (program and/or library) for accessing a particular data set or group of data sets.
IBM RACF Attributes
The following table shows selected RACF attributes, their purpose, and the equivalent CA ACF2 privilege that would be used to achieve the same result in an CA ACF2 environment.
RACF Attribute
Purpose
CA ACF2
Equivalent
PRIVILEGED
Lets a user bypass security checking without any logging.
NON-CNCL
TRUSTED
Lets a user bypass security checking but logging can be turned on for this user.
NON-CNCL
OPERATIONS
Lets a user bypass security checking for selected resource classes.
NON-CNCL
SPECIAL
Used in RACF administration.
SECURITY
AUDITOR
Lets a user review profile information.
AUDIT
REVOKE
Prevents a user from accessing the system.
CANCEL, RETIRE, or SUSPEND
IBM RACF Segments and CA ACF2 Profiles
User related information is stored by RACF in various database segments. CA ACF2 accomplishes this using the LOGONID and PROFILE records. The following table lists the RACF segments and where the corresponding information is stored in CA ACF2.
LOGONID indicates that the information is stored in the logonid record. PROFILE indicates that the information is in a separate profile record. PROFILE* indicates that the information is in a separate profile record, but that optional default data is stored in an Information Storage record pointed to by the SMSINFO field in the logonid record.
IBM RACF Segment
CA ACF2
Equivalent
Profile Name
Segment
CATEGORY
PROFILE
SECLABEL
CATEGORY
CERTDATA
PROFILE
USER
CERTDATA
DCE
PROFILE
USER
DCE
DFP
PROFILE*
DATASET
DFP
DLFDATA
PROFILE
DLFCLASS
DLFDATA
CICS
LOGONID or PROFILE
USER
CICS
KEYSMSTR
PROFILE
KEYSMSTR
SSIGNON
LANGUAGE
PROFILE
USER
LANGUAGE
NETVIEW
PROFILE
USER
NETVIEW
OMVS
PROFILE
USER
GROUP
OMVS
OMVS
OPERPARM
PROFILE
USER
OPERPARM
SECLEVEL
PROFILE
SECLABEL
SECLEVEL
SECLABEL
PROFILE
USER or SECLABEL
SECLABEL
SESSION
PROFILE
APPCLU
SESSION
TSO
LOGONID
BASE
LOGONID
WORKATTR
PROFILE
USER
WORKATTR
IBM RACF to CA ACF2 Translation Digital Certificate Authorization Resource Names
IBM RACF Resource in the FACILITY Class
IBM RACF Command
CA ACF2 Command
CA ACF2 Resource in the CASECAUT Class
IRR.DIGTCERT.LIST
CHECKCERT
CHKCERT
ACFCMD.DIGTCERT.CHKCERT
IRR.DIGTCERT.CONNECT
IRR.DIGTCERT.ADD
CONNECT
CONNECT
ACFCMD.DIGTCERT.CONNECT
ACFCMD.DIGTCERT.ADD
IRR.DIGTCERT.EXPORT
IRR.DIGTCERT.EXPORTKEY
EXPORT
EXPORT in PKCS $12 format
EXPORT
EXPORT in
PKCS #12
format
ACFCMD.DIGTCERT.EXPORT
ACFCMD.DIGTCERT.EXPORTKEY
IRR.DIGTCERT.GENCERT
IRR.DIGTCERT.ADD
GENCERT
GENCERT
ACFCMD.DIGTCERT.GENCERT
ACFCMD.DIGTCERT.ADD
IRR.DIGTCERT.GENREQ
GENREQ
GENREQ
ACFCMD.DIGTCERT.GENREQ
IRR.DIGTCERT.REKEY
REKEY
REKEY
ACFCMD.DIGTCERT.REKEY
IRR.DIGTCERT.REMOVE
REMOVE
REMOVE
ACFCMD.DIGTCERT.REMOVE
ACFCMD.DIGTCERT.ADD
IRR.DIGTCERT.RENEW
RENEW
RENEW
ACFCMD.DIGTCERT.RENEW
IRR.DIGTCERT.ROLLOVER
ROLLOVER
ROLLOVER
ACFCMD.DIGTCERT.ROLLOVER
ACFCMD.DIGTCERT.ADD
IRR.DIGTCERT.LISTTOKEN
LISTTOKEN
P11TOKEN LIST
None
None
ADDTOKEN
P11TOKEN ADD
None
None
DELTOKEN
P11TOKEN DELETE
None
IRR.DIGTCERT.BIND
IRR.DIGTCERT.ADDTOKEN
BIND
P11TOKEN BIND
ACFCMD.DIGTCERT.P11TOKEN.BIND
None
UNBIND
P11TOKEN UNBIND
ACFCMD.DIGTCERT.P11TOKEN.UNBIND
IRR.DIGTCERT.ADD
ADDTOKEN
P11TOKEN IMPORT
ACFCMD.DIGTCERT.P11TOKEN.IMPORT
IRR.DIGTCERT.ADD
ADD
INSERT
(CERTDATA)
ACFCMD.DIGTCERT.ADD
IRR.DIGTCERT.ALTER
ALTER
CHANGE
(CERTDATA)
ACFCMD.DIGTCERT.ALTER
IRR.DIGTCERT.LIST
LIST
LIST
(CERTDATA)
ACFCMD.DIGTCERT.LIST
IRR.DIGTCERT.DELETE
DELETE
DELETE
(CERTDATA)
ACFCMD.DIGTCERT.DELETE
ACFCMD.DIGTCERT.ADD
IRR.DIGTCERT.ADDRING
ADDRING
INSERT (KEYRING)
ACFCMD.DIGTCERT.ADDRING
None
None
CHANGE
(KEYRING)
ACFCMD.DIGTCERT.ALTRING
IRR.DIGTCERT.LISTRING
LISTRING
LIST (KEYRING)
ACFCMD.DIGTCERT.LISTRING
IRR.DIGTCERT.DELRING
DELRING
DELETE (KEYRING)
ACFCMD.DIGTCERT.DELRING
IRR.DIGTCERT.ADDMAP
ADDMAP
INSERT (CERTMAP, CRITMAP)
ACFCMD.DIGTCERT.ADDMAP
IRR.DIGTCERT.ALTMAP
ALTMAP
CHANGE (CERTMAP, CRITMAP)
ACFCMD.DIGTCERT.ALTMAP
IRR.DIGTCERT.LISTMAP
LISTMAP
LIST (CERTMAP, CRITMAP)
ACFCMD.DIGTCERT.LISTMAP
IRR.DIGTCERT.DELMAP
DELMAP
DELETE (CERTMAP, CRITMAP)
ACFCMD.DIGTCERT.DELMAP