CICS / ACF2 Exit

[Kindness, David A]

1. Define a transaction to ACF2 but not to CICS.
2. Grant access to the users who have update authority.
3. Write a utility program that LINKs to ACFAEUCC. There are examples
in the book.
4. Have your application programs LINK to your utilty to do
validation. (That way if
the ACFAEUCR commarea ever changes, or you convert to RACF you
won't have
to go back and find/change the application code. Just your
utility.)

I found this code snippet, I think this is what you need, but I'm not
sure.

Use at your own risk....

TRANSACTION_VALIDATION_CHECK EQU *
MVC UCRSCTNM,=CL8'TRANS'
MVI UCRSCNME,C' '
MVC UCRSCNME+1(39),UCRSCNME
MVC UCRSCNME(4),PARM_TRANSACTION_ID
MVC UCRSCNME+4(1),=C'X'
*
MVI UCRSCREQ,UCRSCRIN | SET TO DO RULE INTERPRET
MVI UCRSCAC,UCRSCAAC | SET FOR GENERAL ACCESS
MVI UCRSCVER,UCRSCVEY | LET ACF2 VERIFY PASSWORD
MVI UCRSCABD,UCRSCABN | DO NOT ABEND IF VIOLATION
*
EXEC CICS LINK
X
PROGRAM('ACFAEUCC')
X
COMMAREA(ACFAEUCR)
X
LENGTH(512)
*
CLI UCRSCRC,UCRSCRA | IS THIS A GOOD RETURN CODE
BE ACCESS_ALLOWED | YES ==> SET GOOD RETURN
-----------------------------------------------------------------------
-------------------
AMP Inc. MS 194-09 PO Box 3608 Harrisburg Pa. 17105
Phone 717-810-2268 Fax 717-810-2236
IBMMail ID: USAMPBDP Internet: daki...@amp.com

----------
From: Marsh, Thomas S.[SMTP:Mar...@DIEBOLD.COM]
Sent: Friday, May 02, 1997 4:22 AM
To: Multiple recipients of list CICS-L
Subject: CICS / ACF2 Exit

Does any know of / have an ACF2 exit (or function which calls ACF2)
to
handle function-level security in a CICS transaction? Specifically, I
need one group of users to be able to retrieve and update, while
another group can only retrieve.

TIA

Tom

[mru...@cat.e-mail.com]

We do resource level security checks with ACF2. I believe you do this by using 'RESOURCE' as
the UCRSCTNM instead of 'TRANS'. Check the ACF2 manual.

We had problems with this interface when converting to CICS 4.1 last year. ACF2 did not have
the high level interface functionality completed for 4.1 at the time and claimed "not a lot
of customers use the high level interface."

If you do use this interface, DEFINITELY code a utility and have ALL programs that use it LINK
to it.

[Jose and Angela Campos]

Why can you set up a resource rule with one group of users having READ
access and another one UPDATE?

[Kindness, David A]

>Jose and Angela Campos[SMTP:mizzoufa...@WORLDNET.ATT.NET] wrote

>Why can you set up a resource rule with one group of users having
READ
>access and another one UPDATE?

I'm not an expert on ACF2 rules, so if you can write a resource rule
as opposed to a transaction rule, that should work too.

If you're questioning why call we would want to call an ACF2 exit,
it's because we want to make our applications *friendly*. Ie: is the
user authorized? No he is not, send him a message that he is not
authorized to request that function as opposed to letting ACF2 giving
him an SECV abend when he accesses the resource.

[Philip Emrich]

From: Philip L. Emrich
. Dallas Systems Center - CICS Systems Consulting & Support
---------------------------------------------------------------
Subject: Re: CICS / ACF2 Exit

For either CICS/ESA 3.3 or 4.1 an application may issue an EXEC CICS
QUERY SECURITY command and may include both the READ and UPDATE options.
The command will invoke the external security manager and determine
whether the userid under which the transaction is executing has UPDATE,
READ or no access authority at all to the resource named on the QUERY
SECURITY command. The command response is based on the rules that have
been defined to ACF2. The CICS application is free to respond to the
end user in any way that it chooses if the access authority for the user
is less than that required.

Regards,

Philip L. Emrich phil_...@vnet.ibm.com or USIB3FGC @ IBMMAIL
IBM - Dallas Systems Center - CICS & RACF Consulting & Technical Support

*** Referencing note of 05/05/97 08:05
=========================================================================
Date: Mon, 5 May 1997 09:03:15 -0400
From: "Kindness, David A" <daki...@AMP.COM>
Subject: Re: CICS / ACF2 Exit

[Kindness, David A]

ACF2 does not have to run as an ESM. At least not in 3.3. CA has this
wonderful piece of code know as ENF that hooks into CICS just like in
the old days. When we tried to convert to 3.3 we had big time
performance problems with ACF2 and ENF. We tried ACF2 as an ESM but
chose the ENF route because we could disable the hooks for resources
we weren't validating (programs, PSB's,...). This greatly reduced the
overhead. There was another reason we didn't want to have it run as an
ESM, but I can't remember the specifics.

QUERY SECURITY doesn't work in my CICS 3.3 and ACF2/ENF environment.

----------
From: Philip Emrich[SMTP:phil_...@VNET.IBM.COM]
Sent: Monday, May 05, 1997 12:49 PM

To: Multiple recipients of list CICS-L

[Jose and Angela Campos]

Kindness, David A wrote:
>
> >Jose and Angela Campos[SMTP:mizzoufa...@WORLDNET.ATT.NET] wrote
> >Why can you set up a resource rule with one group of users having
> READ
> >access and another one UPDATE?
>
> I'm not an expert on ACF2 rules, so if you can write a resource rule
> as opposed to a transaction rule, that should work too.
>
> If you're questioning why call we would want to call an ACF2 exit,
> it's because we want to make our applications *friendly*. Ie: is the
> user authorized? No he is not, send him a message that he is not
> authorized to request that function as opposed to letting ACF2 giving
> him an SECV abend when he accesses the resource.

You could 'inquire' a user's access thru EXEC QUERY SECURITY

[Black, William]

Thomas Marsh wrote:

>
>>Does any know of / have an ACF2 exit (or function which calls ACF2) to
>handle function-level security in a CICS transaction? Specifically, I
>>need one group of users to be able to retrieve and update, while
>>another group can only retrieve.

There are a number of different ways to handle the situation you
describe. Here is a summary of them:

ACF2 CICS resource checks are based on resources defined to ACF2
CICS by a CICSKEY or USERKEY parameter. The CICSKEYs are those
resources which are inherent to the CICS environment, like
transactions, programs, files, etc. USERKEYs are defined by the
local installation, and may represent whatever you decide.

There is an Application Programming Interface (API) for user
programs to issue requests to ACF2 CICS. Your application may,
prior to processing, request that the process be validated by
ACF2. This would be in the form of validting READ or UPDATE
access to the resource you have chosen to represent the process.
An earlier contributor suggested you use a dummy-like transaction
code for this representation.

The ACFM transaction basically does what you are asking for,
through the use of the USERKEY RESOURCE=ACF2CTRL. The ACFM
transaction validates the users ability to select each item from
its main menu, and only displays those that the user has access
to.

One less complicated way that would require less overhead is to
have the application program run under two differemt transaction
codes, where one is used for READ processing, and the other for
READ/UPDATE. You could then control the access by the transaction
code access rule, and the application need only be concerned with
its execution being in READ or READ/UPDATE mode.

Other considerations:

- EXEC CICS QUERY SECURITY is supported by ACF2 CICS, but
prior to CICS 4.1, the INITIAL XSP=YES ACF2PARM must be
specified.

For further details on the use of USERKEY and API, please refer
to the Sample Programs and other sections within Chapter 7 of the
CA-ACF2 CICS Support Guide.

I got this info from the folks over in CA-ACF2.
If you would like to discuss any of this in detail, please
contact them at 630-505-6750.

regards,
Bill Black
CA-Top Secret

>
>