Discussion:
SAF: ACF2 vs RACF
(too old to reply)
Patrick O'Keefe
2004-07-02 22:07:50 UTC
Permalink
I just moved from a RACF shop to an ACF2 shop. I've never pretended to
know much about RACF but I knew enough of the concepts and terminology to
ask for READ access to RESOURCE=*.FOO.BAR.**,CLASS=BARF.

In my cursory browsing of ACF2 doc I cannot its equivalent to a SAF
CLASS. Would an ACF2 admin person understand a request for
"READ access to RESOURCE=*.FOO.BAR.**,CLASS=BARF"?

Can anyone recommend an FM to read as a reasonable intro to ACF2 for a
(non-security oriented) system programmer?

Thanks in advance.

Pat O'Keefe

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
Brian Peterson
2004-07-02 22:35:00 UTC
Permalink
In ACF2, there are three security data bases - Logonids, Data Set Rules,
and Infostorage data bases.

Of course RACF userids map to the ACF2 Logonid data base, and any RACF
DATASET entry maps to the Data Set Rules data base.

In ACF2, everything else is stored in the Infostorage data base.

There are also special entries which map the 8 character RACF class name to
the 3 character ACF2 resource type code. For example, by default (as I
recall), the FACILITY class maps to ACF2 type FAC. This default mapping
can be overridden by the security administrator/sysprog.

In summary, based on my previous experience as an ACF2 sysprog, in order to
be effective as an ACF2 sysprog or administrator, it is very helpful to
understand RACF terminology in order to be able to translate RACF requests
for security into the corresponding ACF2 entries. I would therefore
imagine that your security folks are well aware of RACF terminology.

While it is probably overkill for your needs, I think it never hurts to
undrestand how software works. Therefore you might want to look over the
ACF2 Security Administrator's Guide manual and perhaps the ACF2 Systems
Programmers Guide manual - at least a couple of the chapters dealing with
the aspects of security you're interested in.

Brian

On Fri, 2 Jul 2004 17:07:44 -0500, Patrick O'Keefe
Post by Patrick O'Keefe
I just moved from a RACF shop to an ACF2 shop. I've never pretended to
know much about RACF but I knew enough of the concepts and terminology to
ask for READ access to RESOURCE=*.FOO.BAR.**,CLASS=BARF.
In my cursory browsing of ACF2 doc I cannot its equivalent to a SAF
CLASS. Would an ACF2 admin person understand a request for
"READ access to RESOURCE=*.FOO.BAR.**,CLASS=BARF"?
Can anyone recommend an FM to read as a reasonable intro to ACF2 for a
(non-security oriented) system programmer?
Thanks in advance.
Pat O'Keefe
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
J***@ibm-main.lst
2004-07-06 13:01:10 UTC
Permalink
The ACF2 manuals should contain an entire section of RACF equivilants when
using ACF2. I know the Top Secret manuals had this, back when I worked
with Top Secret. The most common item I found myself looking for was
IBMFAC, I believe ACF2 and Top Secret both use this for defining
facilities.



John Benik


The information contained in this communication may be confidential,
and is intended only for the use of the recipient(s) named above.
If the reader of this message is not the intended recipient, you
are hereby notified that any dissemination, distribution, or
copying of this communication, or any of its contents, is strictly
prohibited. If you have received this communication in error,
please return it to the sender immediately and delete the original
message and any copy of it from your computer system. If you have
any questions concerning this message, please contact the sender.

Unencrypted, unauthenticated Internet e-mail is inherently insecure.
Internet messages may be corrupted or incomplete, or may incorrectly
identify the sender.

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Patrick O'Keefe
2004-07-02 23:06:41 UTC
Permalink
On Fri, 2 Jul 2004 17:34:54 -0500, Brian Peterson
Post by Brian Peterson
...
In ACF2, everything else is stored in the Infostorage data base.
There are also special entries which map the 8 character RACF class name
to
Post by Brian Peterson
the 3 character ACF2 resource type code. For example, by default (as I
recall), the FACILITY class maps to ACF2 type FAC. This default mapping
can be overridden by the security administrator/sysprog.
...
Thanks for the info. I guess I'll have to talk to the ACF2 admin person
since the classes I'm interested in (NETCMDS, RMTOPS, maybe others)
probably don't have predefined mappings.
Post by Brian Peterson
While it is probably overkill for your needs, I think it never hurts to
undrestand how software works. Therefore you might want to look over the
ACF2 Security Administrator's Guide manual and perhaps the ACF2 Systems
Programmers Guide manual - at least a couple of the chapters dealing with
the aspects of security you're interested in.
...
I glanced through those but rapidly got lost. Looks like I'd better spend
some time and actually read them.

Pat O'Keefe

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
Barry Schrager
2004-07-03 01:45:38 UTC
Permalink
In article <LISTSERV%***@BAMA.UA.EDU>, ***@ibm-
main.lst says...
Post by Patrick O'Keefe
I just moved from a RACF shop to an ACF2 shop. I've never pretended to
know much about RACF but I knew enough of the concepts and terminology to
ask for READ access to RESOURCE=*.FOO.BAR.**,CLASS=BARF.
In my cursory browsing of ACF2 doc I cannot its equivalent to a SAF
CLASS. Would an ACF2 admin person understand a request for
"READ access to RESOURCE=*.FOO.BAR.**,CLASS=BARF"?
Can anyone recommend an FM to read as a reasonable intro to ACF2 for a
(non-security oriented) system programmer?
Thanks in advance.
Pat O'Keefe
Patrick,

I wrote the Resource Rule support for ACF2 before RACF had the
equivalent concept. I chose 3 character resource types. RACF came
later and used 8 character resource classes. There is a mapping from
the 8 character class to the 3 character type. Your Security
Administrator can tell you what it is or define it for you.
--
Barry Schrager
***@cs.com
Loading...