ACF2

  • 1.  ACF2 equivalent of adding additional role group access?

    Posted Dec 12, 2018 02:03 AM

    We have role groups setup for different admin teams on our RACF system, and accordingly we have the UIDs setup in the ACF2 system.

     

    Now, MVS team wants to take up additional responsibilities of Storage. On RACF it was easy to add the Storage team role group to the MVS team member, not sure how to achieve this on ACF2 without having to add all the access for the UID string?

     

    eg.

    MVS role group - IBMVS

    Storage role group - IBSTG

     

    UID string of MVS team member is         IBMVS**************LID

    UID string of Storage team member is    IBSTG**************LID

     

    All the required access is based on the role based UID strings (i.e. IBMVS*** or IBSTG***).

     

    Regards,

    Rohit



  • 2.  Re: ACF2 equivalent of adding additional role group access?
    Best Answer

    Broadcom Employee
    Posted Dec 12, 2018 12:48 PM

    You could create a ROLESET record for this, but it appears all you need to do is add UID(IBMVS) wherever you already have a rule for UID(IBSTG)  If you think about it, every field that makes up the ACF2 UID string is a ROLE comparable to RACF.  IB is one role, MVS is a role, STG is a role, IBMVS can be one, along with IBSTG.  

     

    Ken Suchomel

    ACF2 Support



  • 3.  Re: ACF2 equivalent of adding additional role group access?

    Posted Dec 13, 2018 01:55 AM

    Hi Ken,

    This might be short tem requirement, and they do not want to add UID(IBMVS) to all the storage resources. Do you think XROL records can be used to achieve this?

     

    Thanks,

    Rohit



  • 4.  Re: ACF2 equivalent of adding additional role group access?

    Broadcom Employee
    Posted Dec 13, 2018 08:14 AM

    Yes, but it is more complicated then that.  Since you already have a rule with UID, you would need to add a NEXTKEY rule into a $ROLESET rule and add them there.

     

    $KEY(STORAGE) TYPE(STG)

     UID(IBSTG**************LID) ALLOW

     UID(IBMVS**************LID) NEXTKEY(STORMVS)

     UID(-) PREVENT

     

    $KEY(STORMVS) TYPE(STG)

    $PREFIX(STORAGE)

    $ROLESET

     ROLE(MVSGROUP) ALLOW

     ROLE(-) PREVENT

     

     



  • 5.  Re: ACF2 equivalent of adding additional role group access?

    Broadcom Employee
    Posted Dec 13, 2018 08:20 AM

    FYI, you can use the UID rule on a time basis so it isn't permanent.

     

    $KEY(STORAGE) TYPE(STG)

     UID(IBSTG**************LID) ALLOW

     UID(IBMVS**************LID) ALLOW ACTIVE(01/03/19) UNTIL(03/10/19)

     UID(-) PREVENT



  • 6.  Re: ACF2 equivalent of adding additional role group access?

    Posted Dec 24, 2018 01:58 AM

    Hi Ken,

    After discussions, going with your originally suggested approach of adding the MVS UID wherever there is Storage UID. Do you know how can it be done? I pulled a report using ACFRPTRX, problem is - there are about 200 pages of the report, and also the report only lists the lines which allows Storage folks the access to the resource/dataset & not complete rule, and hence I can't even edit & use the report to update everything at once.

     

    Regards,

    Rohit



  • 7.  Re: ACF2 equivalent of adding additional role group access?

    Broadcom Employee
    Posted Dec 24, 2018 08:16 AM

    Hi Rohit,

    I order to assist your further please use the support online venue and open a case

    so we may assist you further.  

     

    ACF2 Support