Step 4. ACF2 Security Definition Samples

Step 4.1 Control-M Security Definitions

Select this step to edit the CTMSSAF2 member in the IOA INSTWORK library.

1. Associating users with Extended Definition mode.

   Add the following ACF2 commands to define the $$CTMEDM.qname entity to ACF2/SAF and authorize users to this entity:

   SET RESOURCE(CMF)
   COMP
   $KEY($$CTMEDM.qname) TYPE(CMF)
   UID(USERA) ALLOW

   If the definition mode to a Control‑M security module was defined as COND, and does not have access to this entity, the user is set to work in Basic Definition mode. Otherwise, the user is set to work in Extended Definition mode.

2. Define entities and user authorizations to CA-ACF2/SAF.

   For more information about entities and user authorizations, see Control-M Basic Definition Security Calls and Control-M Extended Definition Security Calls.

To define and authorize the resource profile in Basic Definition mode to protect ordering of STCs beginning with SYS, specify the following command:

SET RESOURCE(CMF)
COMP
$KEY($$CTMSTC.qname.SYS**************************)
UID(USERA) ALLOW

where qname is the name used to assign different authorizations to different IOA environments (such as Test and Production). This parameter is specified during IOA installation.

To authorize USERA access to a given Control‑M entity, use the following command:

SET RESOURCE(CMF)
COMP
$KEY($$CTMnnn.qname)
UID(USERA) ALLOW

where CTMnnn is the entity name of the Control‑M protected element described in Control-M Basic Definition Security Calls for Basic Definition mode and in Control-M Extended Definition Security Callsfor Extended Definition mode.

For samples of user authorizations, review member CTMSSAF3 in the IOA INSTWORK library.

1. Submit the job.

   Run this job with a user who has authorization to enter these ACF2 commands.

   Scan the job output for information and error messages produced by ACF2.

2. Rebuild resource type CMF rules.

   Rebuild the resource type CMF rules by issuing the following MVS command:

   F ACF2,REBUILD(CMF)

Step 4.2 Function Security Definitions (Optional)

The IOASTSS3 job in the IOA INSTWORK library is optional. It contains some definition samples for various entities. Customize this job according to your requirements and submit this job.

Step 4.3 Control Program Access to Datasets (Optional)

BMC recommends that, before selecting this step, the security administrator first read Limiting Access to Specific Programs and the IBM Resource Access Control Facility Security Administrator's Guide.

Select this step to edit the CTMSSAF4 member in the IOA INSTWORK library. This member contains a sample of the definitions required to define Program Pathing access authorizations to Control‑M datasets. Review the definitions and modify to meet your site's requirements.