Components

Security components include logonid, rules and infostorage databases.
acf2src
From an administrative standpoint, CA ACF2 is tailored to individual users, data sets, and resources. You can use CA ACF2 TSO commands, ISPF panels, or batch utilities to dynamically update these components. In addition, you can use the ACFM CICS transaction and the ACF IMS transaction. The following are CA ACF2  components.
 
 
2
 
2
 
 
Records
The following is a list of CA ACF2 records. These records are contained in the CA ACF2 databases. Select the following records for more information. 
Record
Description
Logonid
Defines each system user in terms of general identification, status, privileges, access history, attributes related to TSO, CICS, IMS, VM, VSE, violation statistics, and so forth.
Access Rule
Describes the conditions (environment) for accessing particular data sets, and determine whether access is permitted or prevented for a user or group of users. For more information, see the Access Rules.
Resource Rule
Describes conditions (environment) for accessing particular resources. Resources include TSO accounts, TSO procedures, IMS transactions, commands, PSBs, and AGNs, CICS files, programs, transactions, transient data, temporary storage, SYSIDs, and DL/I calls, system resources protected by SAF calls, or any resource a site wants to define. For more information, see Resource Rules.
Entry
Defines a source or groups of sources associated with system entry access. These records are obsolete, but still supported. XREF records provide much more flexibility then Entry records and should be used in place of Entry Records. For more information related to XREF records, see Entry Source and Source Group Records.
Field
Specifies access to records based on information in a field. You define the record to CA ACF2 in a RECORD definition record and specify the test you want CA ACF2 to perform to validate access in an EXPRESSN record. Then you create resource rules to define the validation. The $RECNAME control statement points CA ACF2 to the RECORD definition record and the RECCHECK parameter points CA ACF2 to check the EXPRESSN record. This is a CICSonly facility; DB2 record level protection is not supported. For more information, see Field Records.
Cross-Reference
Defines groups of sources or groups of resources for CA ACF2 validation processing.
Scope
Limits the authority a specially privileged user or authorized end user has over logonid records, access rules, and other CA ACF2 records.
Shift and Zone
Defines periods of time when access is permitted or prevented. Zone records offset the user's local time from the executing CPU time. Zone records are only used during system entry validation.
Cache
Set options for the CA ACF2 cache facility.
CPF
Set command propagation facility options and define how nodes in the CPF network can communicate.
DCO
Defines resources to a Data Class. Additionally, an owner of the resource can be defined within the Data Class.
GSO
Specifies a site's CA ACF2 global system options.
Profile
Contains securityrelated information about users and resources that can be requested by the system. For more information, see Profile Records.
NET
Specifies distributed database options.
Identity
Contain extended user authentication information.
CA ACF2 Databases
CA ACF2 verifies a user's identity and allows or denies access to data sets and resources. It determines whether the user has authority by searching one of its three databases, the logonid, rule, and Inforstorage databases. CA ACF2 decides which of these to search, depending on the type of request it receives.
Logonid database
Contains logonid records for all users on the system.
Rule Database
Contains all data set access rules.
Infostorage Database
Contains resource rules, entry records, cross-reference records, scope records, shift and zone records, global system options records, identity records, field records, and profile records.
Each database contains different records and rules. 
The ACF Command and Subcommand
Lets you create and maintain the major components of CA ACF2. We also provide ISPF panels that perform the same functions as the TSO ACF command. The ACF command is also available for CA ACF2 batch processing. A HELP subcommand is available and provides instructions on the use of commands and descriptions of various fields.
For more information see The ACF Command and ACF Subcommands.
Security and Maintenance Reports
The security and maintenance reports assist with security maintenance, administration, and auditing. Use these reports to monitor access and security violations. Most reports use data produced by CA ACF2 and recorded with the IBM System Management Facility (SMF). You can also use CA-Earl® to customize the reports to meet installation-specific reporting needs. The following reports are provided with CA ACF2. See Reporting for complete information on all CA ACF2 reports.
Data and Resource Logging Violation Reports
The following reports let you monitor activities such as, unsuccessful system access attempts, important operator interactions including the start and stop time of CA ACF2, and any CA ACF2 operator commands issued at the console.
ACFRPTCR
TSO Command Statistics Log. TSO command logging and violation records.
ACFRPTDS
Data Set/Program Event Log. Violation records and journaled access requests for data sets and programs.
ACFRPTJL
 
Provides the following reporting options:
Restricted Logonid Job Log
 
Displays a log of all system accesses by logonids with the RESTRICT field. These IDs, usually used by production jobs, do not have an associated password.
JOBFROM Job Log 
 
(Obtained through the JOBFROM parameter) Displays a log entry for every submitted job that includes a //*JOBFROM control statement. This control statement is used in multiple-user single address space systems (such as CICS, IMS, and CA ROSCOE) or in batch production environments (like CA 7) to control transmission of logonid and source information in jobs.
ACFRPTPW
Invalid Password/Authority Log. All unsuccessful system access attempts.
ACFRPTRV
Resource Event Log. Loggings, violations, and trace requests related to resources.
ACFRPTPP
The SMF Preprocessing utility. Preprocesses the input SMF data and builds multiple files that are used as input to the other reports. This utility eliminates the need to rerun each report program against all of the SMF data, allowing the individual reports to run more quickly.
ACFRPTST
SECTRACE formatting utility. The CA ACF2 SAF diagnostic trace, SECTRACE, can optionally write trace records of SAF calls to the system SMF file. The ACFRPTST utility program is used to select the desired records and produce the desired reports.
ACFRPTNV
Environmental report. This report lists important CA ACF2 operator interactions including the start time of CA ACF2 and any operator commands issued at the console.
ACFRPTOM
z/OS UNIX System Services report. This report provides system loggings and violations produced by UNIX System Services.
Database Maintenance Reports
The following reports list modifications made to database records.
ACFRPTEL
Infostorage Update Log. Modifications made to resource rule sets and any other Infostorage database records.
ACFRPTLL
Logonid Modification Log. Modifications to the Logonid database.
ACFRPTRL
RuleID Modification Log. Modifications to the Rule database.
Cross-Reference Reports
The following reports let you list information such as, access rules that apply to specific logonids or UIDs, logonids matching user-specified selection criteria, and user with access to a specific data set or resource.
ACFRPTIX
Data Set Index Report. Information about changes to the environment that affect a specific data set highlevel index.
ACFRPTRX
Logonid Access Report. All access rules that apply to a specific logonid or UID.
ACFRPTSL
Selected Logonid List. All logonid records matching the userspecified selection criteria.
ACFRPTXR
CrossReference Report. All users who have access to a specified data set or resource.
Other Components
The following is information on other CA ACF2 components.
ISPF Panels
ISPF panels allow you to perform TSO ACF commands using a menu driven interface. The following CA ACF2 administrative functions are available:
  • Add, change, delete, and list logonid records
  • Compile, decompile, and delete access and resource rules such as global system options (GSO) records and cross-reference records (XREF)
  • Add, change, delete, and list unstructured infostorage records such as shift, entry, and xref
  • Display CA ACF2 system processing options
  • Run CA ACF2 reports at the terminal
  • Execute CA ACF2 utility programs at the terminal
  • Add, change, delete, and list structured infostorage records
To use the ISPF panels that are shipped with CA ACF2, you must install them first. Once activated, select the appropriate option from the CA ACF2 ISPF Option Selection Menu.
If your site does not have ISPF or you want to administer CA ACF2 from native TSO, see The ACF Command.
Command Propagation Facility
Lets you maintain the CA ACF2 databases across a network from one specially defined home node. For more information, see Command Propagation Facility.
CA ACF2 Database Recovery
The ACFRECVR utility re-creates one or all of the CA ACF2 databases if they become damaged. ACFRECVR accepts one or more of the database backup files and selected database maintenance logging records and merges them to create a current database.
Additional CA ACF2 Utilities
CA ACF2 provides utilities to assist in the initial implementation and installation of CA ACF2. We also provide utilities to help streamline ongoing maintenance activities, recover databases, and SMF management. For more information, see CA ACF2 Utilities.
CA ACF2 for CICS Interface
An interface that allows you to control access to and the resources in a CICS region. For more information, see CICS Support.
CA ACF2 for IMS Interface
An interface that allows you to control access to the IMS environment and its resources. For more information, see IMS Support.
CA ACF2 HFS Interface
An interface that allows you to use standard resource rules to control the hierarchical file system (HFS) that is under UNIX System Services. For more information, see Implement CA SAF Security.
Field Definition Record (ACFFDR)
The ACFFDR is made up of Assembler language macros that perform the following:
  • Define and establish controls for each field of data in the logonid record. The logonid record contains the same fields for all users.
  • Specify system options related to the logonid record and to the operation of CA ACF2.
Changes to the information maintained in the ACFFDR are typically made only periodically. To make ACFFDR changes, you must reassemble and relink the ACFFDR. Once relinked, you must then make the new module available for use. This can be done using one of the following methods:
  • At IPL time using the CLPA option to rebuild the link-pack area (LPA)
  • Dynamically on a running system by using the F ACF2,NEWMOD(ACFFDR) command
For more information, see CA ACF2 Field Definition Records (ACFFDR).
Report Generators and Utilities
Report generators and utilities assist with security maintenance, administration, and auditing. The CA ACF2 for z/OS report generators produce reports and audit trails. Use these reports and audit trails to implement and maintain security and to monitor certain access and security violations. Most reports use data produced by CA ACF2 for z/OS and recorded with the IBM System Management Facility (SMF).
CA ACF2 for z/OS utilities provide tools for maintaining and enhancing security functions at your site. These report generators and utilities are described in Reporting.
Your Password and Password Phrase
Your password and password phrase contain a unique string of characters. Use your logonid and a password or password phrase to prove your identity to the system. Once entered, the password or password phrase is encrypted so that it is not stored as it was entered. CA ACF2 for z/OS however, cannot protect passwords and password phrases outside the computer; such controls are the responsibility of the user. For more information, see Manage Passwords and Password Phrases and Manage Password Phrases.
User Identification String (UID)
Identifies the user and places each user in an CA ACF2 related structure. Whereas CA ACF2 uses the logonid record to verify a user's system access and privileges, CA ACF2 uses the UID to verify a user's access to data and resources. Furthermore, while the logonid identifies a unique user, the UID can identify a user or a group of users in CA ACF2 rules. The logonid record contains the fields that comprise the UID; however, the actual UID does not exist in the logonid record. The UID string is dynamically built at sign-on time.
Each site defines its own UID structure using the @UID macro in the ACFFDR. In the @UID macro, you specify the logonid record fields that you want to include in the UID. Your site can select which fields are used, but you must use the same UID format for all users. We strongly recommend that you specify the logonid at the end of your UID. This format lets you mask UIDs most effectively. For details on masking the UID parameter in rules, see Access Rules.
These fields can include the fields supplied with CA ACF2 or fields defined by your site. For example, a UID of MM0244MKTPTH consists of four site-defined fields plus the user's logonid. The layout of these fields follows:
 
Position
 
 
Value
 
 
Description
 
1
M
Site (Munich)
2
M
Division (Marketing)
3-4
02
Department (02)
5-6
44
Function code (44)
7-14
MKTPTH
Logonid (MKTPTH)
After you define your UID, you can use it to specify groups of users in access and resource rules. For more information see Access Rules,” and Resource Rules.
USER01
Specifies the user's logonid, name, phone, and UID. The user's name is Jane Doe and her phone extension is 13. The entry ACCTGAUDUSER01 is the expanded UID. The UID verifies a user's access to data and resources. While the logonid identifies a unique user, the UID can identify a user or a group of users in CA ACF2 for z/OS rules. The logonid record contains the fields that comprise the UID; however, the actual UID does not exist in the logonid record. The UID string is dynamically built at sign-on time. This site defined the UID as the DEPT field, followed by the FUNCTION field and logonid. The values ACCTG, AUD, and USER01 are taken from these fields to form the UID ACCTGAUDUSER01. The DEPT and FUNCTION fields have been defined by the site and do not appear in the logonid record supplied with CA ACF2 for z/OS. 
Cancel/Suspend
Indicates if the logonid is canceled or suspended and the date this action was taken.
Privileges
Specifies the type of privileges assigned to a logonid. This Logonid has the authority to list but not change CA ACF2 for z/OS rule sets, records, and system options (AUDIT); to run batch jobs (JOB); and to use TSO (TSO).
Access
Provides statistics on the number of system accesses that a user makes, the date, time, and source of the logons last access. In this example, Jane has made 133 system accesses. The last access was made at 09:21 on 08/15/04 from a terminal identified as LV248.
Password
Provides statistics on violation count and date, expiration date, and change date for the password. In this example, Jane's last invalid password attempt was made on 08/15/03. The last time she changed her password was 07/28/04. On 08/15/03, she made only one invalid password attempt (PSWD-VIO) and to date, she has only one invalid password attempt (PSWDCVIO). The PSWD-VIO field is incremented by one for every password violation incurred in the same date. Any password violations incurred after the current value in PSWD-DAT will cause the PSWD-VIO count to be reset to 1 and the PSWD-DAT field will be updated to reflect the current date. The only time the PSWD-VIO field is physically set to zero (0) is when the password is changed or the security administrator resets the field. The PSWDCVIO field is incremented by one for every password violation incurred since the logonid record was first created. The only time the PSWDCVIO field is physically set to zero (0) is when the security administrator resets the field.
TSO
Provides TSO data such as the logonid's TSO account number, performance group and region size. In this example, Jane's default TSO prefix is the same as her logonid (USER01). Her default SYSOUT and message classes (DFT-SOUT and DFT-SUBM) are A, and she can receive messages from other TSO users (INTERCOM). She can submit jobs from TSO (JCL), and can specify any region size at logon time (LGN-SIZE).
Statistics
Indicates the cumulative number of security violations and the date and time the logonid was last updated. In this example, the logonid has a total of one security violation (SEC-VIO). The logonid record was created at 08:19 on 08/10/03 (CRE-TOD) and was last updated at 09:21 on 08/11/04 (UPD-TOD).
Restrictions
Provides data on access to data and conditions for logon, such as time of day, time zone, and location. In this example, the PREFIX field is the only field shown here. Jane's prefix is USER01 (the same as her logonid). This field gives Jane ownership of all data sets with a high-level index of USER01. For example, she has ownership over the data sets USER01.WORK.TEXT and USER01.STATS.MASTER. No security checking is done for "owned" data sets unless RULEVLD is specified on the logonid record.
DFP
Provides information about the IBM Data Facility Product (DFP) facilities. The SMSINFO field points to a CONTROL(SMS) infostorage record (DEFPROD) that holds the default storage management class values for production data sets. In this example, the user attempts to allocate a production data set, these defaults will be tested by the Automatic Class Selection (ACS) routines to establish the storage management class values for those data sets.