ACFESAGE - CA ACF2 Database Offload to Flat File Utility
Describes the ACFESAGE flat-file offload utility
The CA ACF2 flat-file offload utility ACFESAGE provides a flat-file representation of a subset of the CA ACF2 databases. The file contains equivalent records for logonid and user profile records, generalized resource rules including DB2, and data set access rules. Use the information provided in the file to create reports to review and make appropriate changes to the records and rules on your system.
ACFESAGE runs against backup copies of the CA ACF2 databases. Therefore, CA ACF2 does not generate the overhead which would occur from repeated access to the live CA ACF2 databases. Since the backup files are used as input, data on the flat file records are current as of the time that the CA ACF2 database backup was taken. Changes to the live databases after the backup are not reflected in the flat file.
ACFESAGE runs as a normal problem program. During initialization, the program checks the authority level of the region logonid. If the logonid does not have the SECURITY attribute, or has SECURITY and is scoped, the program terminates and the following message displays:
ACFE026E - Must be run by an unscoped security officer
The records in the output flat file contains data such as rules. If your site does not want the rules available to general users, you must restrict access to the CA ACF2 backup databases and flat-file output of the ACFESAGE utility.
The data on the output flat file should be used for reporting purposes only. The data should
notbe used to make security policy decisions. Since ACFESAGE runs against backup database files, its data cannot be more current than the last successful backup to those files.
Running the Utility Using JCL
You can use JCL to run the ACFESAGE program. The following parameters are specific to ACFESAGE.
- TITLESpecifies an optional title of up to 35 characters which replaces the default value in the title line of the ACFESAGE summary report. The default is “CA ACF2 Database Unload”
- DATEFMT(YYMMDD|DDMMYY|MMDDYY|JULIAN)Specifies the format into which the date portion of TOD fields are translated. Gregorian dates are displayed in nn/nn/nn format, while Julian dates are displayed in yyyy/nnn format.
Input and Output Files
ACFESAGE accepts CA ACF2 backup data sets as its primary inputs. The data set names for the input backup files must be as follows:
- INFOSTGThe backup infostorage file
- LOGONIDSThe backup logonids file
- RULESThe backup rules file
TITLE and DATEFMT input parameters must be provided in the SYSIN file. A summary report mentioning the number of records and instances of each record type is processed and written to the SYSPRINT file. SYSPRINT also receives error messages from unusual conditions that are encountered during processing.
- SYSPRINTUsed for error messages and the summary report. SYSPRINT is a sequential file with characteristics RECFM=VB or VBA, LRECL=137. SYSPRINT is allocated to SYSOUT, but can also be allocated to sequential disk, tape, or a terminal.
- SYSINSpecifies input parameter information for ACFESAGE. ACFESAGE accepts all parameter input from the SYSIN file, the JCL parameter field, or both. The parameters that are specified in the SYSIN file supersede parameters that are specified in the JCL parameter field.
- INFOSTGSpecifies the input infostorage backup file. ACFESAGE does not use the live <acf> databases. This file is required. An open failure terminates execution.
- LOGONIDSSpecifies the input logonids backup file. ACFESAGE does not use the live <acf> databases. This file is required. An open failure terminates execution.
- RULESSpecifies the input rules backup file. ACFESAGE does not use the live <acf> databases. This file is required. An open failure terminates execution.
- OUTFILESpecifies the principal output file. The OUTFILE contains flat-file representations of the logonid, user profile, and rule records contained in the input INFODB, LIDSDB, and RULEDB data sets. The Record format (RECFM) must be V or VB, and the LRECL must be 1240. The records in the OUTFILE data set are described by the SAGEREC distributed macro. The OUTFILE data set may be allocated using JCL in the step which executes ACFESAGE since it is a normal sequential data set.
The ACFESAGE summary report consists of following sections:
- Format/Processing ErrorsLists the keys of user profile records whose contents did not match the format that is required for the record type. Also listed are resource and data set rules that cannot be decompiled. Records that are listed in this section were not formatted to the flat file. If a file could not be opened, the associated error message displays.
- Database Input StatisticsLists the three primary input files and the number of records that are read from each. The raw count includes:
- Record types that are not processed by the program.
- Records that failed internal edits and were not written to the flat file
- Records that produced flat-file output.
- Record Summary by Entity TypeLists the entity types which produced flat file records. The summary provides a count of the number of records that are processed by type and the number of resulting flat file records.
Sample Report Output
The following sample summary report from the offload of a small
ACF2test database does not have a complete set of user profile records. Page 1 of the report identifies two user profile record occurrences. The record occurrences failed format checking and were not written to the output file. Page 2 contains the summary data. The “DATABASE INPUT STATISTICS” section shows the number of records that are read from the three backup files. The “RECORDS PROCESSED BY TYPE” section shows the number of records of each type that are processed to the flat file. The section also shows the total number of records that are produced for each record type.
The rule records and certain user profile records have more output records than input records.
CA ACF2 FOR Z/OS - OFFLOAD FROM MARCH 20 BACKUP -- Page 1 DATE 03/22/10 (10/081) TIME 16:04:40 ACFE050I IMPROPER FORMAT FOR OMVS RECORD WITH KEY AABBCC ACFE051I RECORD WILL NOT BE FORMATTED TO FLAT FILE. ACFE050I IMPROPER FORMAT FOR PROXY RECORD WITH KEY MASTER ACFE051I RECORD WILL NOT BE FORMATTED TO FLAT FILE. CA ACF2 FOR Z/OS - OFFLOAD FROM MARCH 20 BACKUP -- Page 2 DATE 03/22/10 (10/081) TIME 16:04:40 DATABASE INPUT STATISTICS DATABASE RECORDS READ -------- ------------ LIDS 4,237 INFOSTG 7,579 RULES 425 RECORDS PROCESSED BY TYPE OCCURRENCES RELATED RECORDS READ FROM WRITTEN TO RECORD TYPE DATABASE FLAT FILE ----------------------- ------------- --------------- LOGONID RECORDS 4,237 93,496 RESOURCE RULES 2,626 18,210 DATASET RULES 425 3,150 USER PROFILE CERTDATA 49 130 USER PROFILE CICS 3 3 USER PROFILE DCE 16 25 USER PROFILE EIM 8 8 USER PROFILE IDMAP 0 0 USER PROFILE KERBEROS 0 0 USER PROFILE KERBLINK 1 1 USER PROFILE KEYRING 27 59 USER PROFILE LANGUAGE 6 6 USER PROFILE LINUX 81 291 USER PROFILE LNOTES 44 44 USER PROFILE MFA 20 20 USER PROFILE MFACOM 3 3 USER PROFILE NDS 43 43 USER PROFILE NETVIEW 14 47 USER PROFILE OMVS 471 1,274 USER PROFILE OPERPARM 10 15 USER PROFILE PASSWORD 76 76 USER PROFILE PWPHRASE 157 157 USER PROFILE SECLABEL 30 178 USER PROFILE PROXY 2 3 USER PROFILE WRKATTR 19 19 OTHER PROFILE APPCLU 17 54 OTHER PROFILE APPCLU SESSION 22 22 OTHER PROFILE CSFKEYS 66 109 OTHER PROFILE XCSFKEY 66 108 OTHER PROFILE DATASET COMPILED 11 33 OTHER PROFILE DATASET DFPR 11 35 OTHER PROFILE DLFCLASS 18 58 OTHER PROFILE DLFDATA 7 7 OTHER PROFILE ERASE 1 3 OTHER PROFILE GROUP 123 123 OTHER PROFILE KEYSMSTR 0 0 OTHER PROFILE PTKTDATA 2 2 OTHER PROFILE SDB2 1 2 OTHER PROFILE SECLEVEL 234 234 OTHER PROFILE CATEGORY 14 14 OTHER PROFILE SECLABEL 36 236 OTHER PROFILE SECLABEL COMPILED 368 736 OTHER PROFILE SECLABEL(DSN) 164 164 OTHER PROFILE SIGNVER 32 32 OTHER PROFILE SYSMVIEW 6 14 OTHER PROFILE SVFMR 5 5 OTHER RECORD MFPOLICY 2 2 OTHER RECORD SCOPE 40 584 OTHER RECORD TAM 32 32 OTHER RECORD XROL 11 42 ACTIVE DATA 0 320 TOTAL RECORDS WRITTEN TO FLAT FILE 120,229
//* THIS JOB PRODUCES A FLAT-FILE OFFLOAD OF THE CA ACF2 BACKUP //* DATABASES NAMED ACF2.BKINFO, ACF2.BKLIDS, AND //* ACF2.BKRULES //SAGEUNLD EXEC PGM=ACFESAGE,REGION=0K //RULES DD DISP=SHR,DSN=ACF2.BKRULES,DCB=BUFNO=30 //INFOSTG DD DISP=SHR,DSN=ACF2.BKINFO,DCB=BUFNO=30 //LOGONIDS DD DISP=SHR,DSN=ACF2.BKLIDS,DCB=BUFNO=30 //OUTFILE DD DISP=(NEW,CATLG,DELETE),DSN=TEST.FLAT.FILE, // SPACE=(CYL,(50,10)),UNIT=SYSDA // DCB=(RECFM=VB,BLKSIZE=10000,LRECL=1240) //SYSPRINT DD SYSOUT=* //SYSIN DD * DATEFMT(YYMMDD),TITLE(OFFLOAD FROM MARCH 20 BACKUP) /*Smpl