Installing and Using an External Password Security System

In this section:

There are two options for using an external password security system with FOCUS:

  1. Use the FOCUS-supplied ACF2 Interface.
  2. Write and use your own security interface. For more information on this topic, see User Exits.
Top of page
x
The FOCUS-Supplied CA-ACF2 Interface

How to:

Reference:

The FOCUS/CA-ACF2 Interface is an optional FOCUS facility that integrates FOCUS security features with the CA-ACF2 file security system. It provides the following benefits to FOCUS users and security administrators:

Each logon ID exists on a CA-ACF2 LOGONID record and is paired with a FOCUS user ID that provides access to FOCUS data sources. Upon entering FOCUS, the CA-ACF2 Interface infers the FOCUS userid from the user-supplied logon ID. This FOCUS user ID is maintained for the duration of the session, and may or may not be overridden by the user. The result of the inference is equivalent to issuing the FOCUS command

SET USER = userid

Once installed, FOCUS users see no difference between the default version of FOCUS and the CA-ACF2 protected version until they attempt to override the FOCUS userids. Database administrators can use the CA-ACF2 CHANGE command to assign FOCUS user IDs to logon IDs as default or imposed FOCUS user IDs.
x
Syntax: How to Assign a Default FOCUS User ID

The LOGONID record contains a default FOCUS user ID that the user can override, which can be up to eight bytes long and is inferred for the user's LOGONID record.

To assign a default FOCUS user ID for a logon ID, use the CHANGE command and specify a FOCUS user ID (up to eight bytes long) that does not end in a period. For example, if logon user SMITH wishes to access the data as TOM, he (or the /jadministrator) would issue the following CA-ACF2 command:

CHANGE SMITH FOCUSID(TOM)

This is functionally equivalent to issuing the FOCUS command 

SET USER = TOM

or 

SET PASS = TOM

issued by userid SMITH. SMITH could override this latest access by issuing another SET USER or SET PASS command, or a Dialogue Manager -PASS command.

x
Syntax: How to Assign an Imposed FOCUS User ID

When the CA-ACF2 LOGONID record contains an imposed FOCUS user ID, the user cannot override it. An imposed FOCUS user ID can have up to seven bytes plus a period, for a maximum length of eight bytes.

To assign an imposed FOCUS user ID to a logon ID, use the CA-ACF2 CHANGE command and include a period (.) at the end of the FOCUS userid. For example,

CHANGE SMITH FOCUSID(TOM.)

This assigns an imposed FOCUS user ID of TOM. for logon ID, SMITH. In this case, the user operates FOCUS with an imposed level of access to FOCUS files that he cannot change. FOCUS behaves as if user SMITH had entered

SET USER = TOM

as his first FOCUS command. However, the period at the end of the FOCUS user ID in the LOGONID record prevents the user from overriding this level of access. Any attempt to override the imposed ID results in a FOCUS diagnostic message.
x
Reference: Unidentified FOCUS Users

It is not necessary to identify all possible FOCUS users in the CA-ACF2 LOGONID records. Users whose LOGONID records provide no FOCUS user ID operate FOCUS as if the FOCUS/CA-ACF2 Interface were not installed. If they wish to access files protected by FOCUS security features, they must identify themselves through an explicit SET USER or SET PASS command or the Dialogue Manager -PASS command.

x
Procedure: How to Install the CA-ACF2 Interface

To install the FOCUS/CA-ACF2 Interface, follow these steps:

  1. Edit member JCLACF21 in the FOCCTL.DATA library, according to the following steps and your installation's specifications. Then submit the job, which creates the module FOCUSID and links the live CA-ACF2 modules into FOCUS. The JCLACF21 member shipped with FOCUS follows: 
    //LINK1 EXEC  PGM=IEWL,PARM='LET,NCAL,LIST,SIZE=1024K'
//SYSPRINT DD SYSOUT=*
//SYSUT1   DD UNIT=SYSDA,SPACE=(CYL,(10,1))
//OLDMOD   DD DSN=prefix.FOCLIB.LOAD,DISP=SHR
//FOCUSID  DD DSN=prefix.FOCCTL.DATA(FOCACF21),DISP=SHR
//MAINTAIN DD DSN=prefix.FOCCTL.DATA,DISP=SHR
//*ACFMOD  DD DSN=***.***,DISP=SHR
//SYSLMOD  DD DSN=prefix.TEST.FOCLIB.LOAD,DISP=SHR
//SYSLIN   DD *
 MODE AMODE(24),RMODE(24)
 INCLUDE FOCUSID                 <---- FOCUSID CODE
 INCLUDE MAINTAIN(ACFINT1)       <---- MODE-SWITCHING CODE
 ENTRY ACFINT1                   <---- CNTL STATEMENT
 NAME FOCUSID(R)                 <---- NEW MODULE
 INCLUDE MAINTAIN(ACFINT0,ACFID) <---- ACTIVATION PROGRAMS
 INCLUDE OLDMOD(CORFOC)          <---- MODULE TO BE CHANGED
 INCLUDE MAINTAIN(CORFOC)        <---- CNTL STATEMENTS
 NAME FOCUS(R)                   <---- NEW MODULE
/*
    1. If the CA-ACF2 ACCVT is not anchored in the subsystem vector control table (SSVT), activate the ACFMOD DD statement. Also include the following under the SYSLIN DD statement immediately preceding the INCLUDE FOCUSID card: 
      INCLUDE ACFMOD($ACFGCVT)
    2. Note that the MAINTAIN DD statement should point to the maintenance data set for the load library specified on the OLDMOD DD statement. The new module is created in the data set pointed to by SYSLMOD, from the like-named module contained in the data set pointed to by OLDMOD. Note that if the two statements point to the same data set, the new module will replace the old. Otherwise, after testing the new module, you can copy it to the old.
  2. Add a field to member USERLID of SYS1.ACFMAC: 
    LIDFOCID  DS  CL8  FOCUSID
  3. Add the following @CFDE macro to member USERCFDE of SYS1.ACFMAC. Note that the ALTER and LIST attributes may be different at your installation. 
    @CFDE      FOCUSID,LIDFOCID,CHAR,                        X
           ALTER=ACCOUNT,LIST=ALL,FLAGS=NULL,PRTN=9,     X
           RRTN=1,GROUP=4
  4. Reassemble and link the ACFFDR into LPALIB.
  5. IPL with CLPA.
Information Builders