ACF2 RBAC XROL introduction

Discussion created by kristof.goossens1.1 on Aug 22, 2018



We are currently looking into implementing RBAC in ACF2 (X-ROL records).


The plan is to go for a hybrid environment where some security is role based (focus on enduser applications) and part of it is still UID-based (for example for dataset accesses (where complex nextkey structures are used)).


During our functional analysis the following questions/doubts popped up :


1. Limitation of the X-ROL record name to 8 characters.


One of the main reasons to go to RBAC security on mainframe is alignment across environments. So it would be nice to be able to keep the ROL names the same on every platform. On distributed the role names typically are longer than 8 characters (which allows you to give it a meaningful name), in ACF2 however we are limited to 8 characters. 


So somehow you need to be able to map the role names to XROL records.
The description can help a bit, but still isn't very handy for administrators as the can't do list commands based on the description (list if(...) is not possible for xrol records). 


2. Which users are part of which role?


With the ROLES command you can identify the active roles for a specific user, but there is no command to identify all the users within a role. Such a command (or report) would be handy, especially when you use role groups.  
(without the need to implement CA Compliance Information Analysis in a DB2 or CA Datacom database).


 3. User experiences.


Did anyone of you already implement the XROL records?
Did you do a full conversion or did you go for a hybrid environment?
What about performance?
Any other points of attention?


Looking forward to your reply.

Kristof Goossens