Three different SAF classes of calls are issued by MSO: verify, program, and appl. MVS automatically issues data set-class SAF calls as well.
CA-ACF2 Release 5.2 or higher should be installed.
CA-ACF2 GLOBAL SYSTEM OPTIONS must be altered to enable SAF validation on the OPTS record. Five SAFPROT records must be added:
1. classes (verify,data set) cntlpt(SSFOC) subsys(SSFOC)
2. classes (data set) cntlpt(SSFOC) subsys(SVC019)
3. classes (data set) cntlpt(SSFOC) subsys(SVC022)
4. classes (data set) cntlpt(SSFOC) subsys(SVC026)
5. classes (facility,verify) cntlpt(SSCON) subsys(SSCON)
If a site would like to verify APPL and PROGRAM SAF calls made by MSO, the first SAFPROT record class can be changed to a dash (-). In this case, the site must code CA-ACF2 rules to allow individual users to access APPL and PROGRAM entities: the MSO LU2 applid, an APPL of MSO, and program name FOCUS, respectively.
The MSO address space must have access to all system resources that may be needed by any MSO user. CA-ACF2 checks for job-level access as well as user-level access. Thus, the job-level MSO userid must have access to all MSO data sets.
The LOGONID of the MSO job should have the MUSASS attribute set on.
Each MSO userid must be defined to CA-ACF2.
MSO must be executed from an APF-authorized library, and EXTSEC=YES must be specified.
Note: If there are problems getting CA-ACF2 to process MSO security properly, the CA-ACF2 system administrator should contact Computer Associates ACF2 Technical Services directly.
Information Builders |