CFACCESS

With the platform server CFACCESS (Access Control) function, the administrator can control file transfer capabilities for a user or node.

For entry into the z/OS system, the platform server requires a valid user ID and password. To ensure only authorized users can transfer data successfully, the platform server validates this information with RACF or other security system, and verifies if the user is authorized to access the transfer data set.

But under certain conditions, the platform server administrator must have additional control over the functions that users can perform, and the data sets that they can access. The Access Control function provides this capability.

Using Access Control, the administrator can control the file transfer capabilities for:
  • A user
  • A node or IP address
  • A combination of user and node/IP address
The administrator can restrict the following transfer functions:
  • Sending a file
  • Receiving a file
  • Submitting a job into the internal reader
  • Executing a command
  • The High Level Qualifier (HLQ) for a file send transfer
  • The HLQ for a file receive transfer
Additionally, the administrator can restrict the following post processing actions (PPA):
  • Executing a command
  • Submitting a job into the internal reader
  • The DSN for JCL to be submitted into the internal reader
Note: CFACCESS checking is only performed for responder transfers.
The file transfer type is dependent on the platform server for z/OS that processes the request. For example, a send request on platform server for Windows is processed as a receive request on platform server for z/OS and the receive parameters are checked against the CFACCESS configuration.
The CFACCESS configuration parameters can be activated through one of following two ways:
  • At platform server startup.
  • When the platform server CFACCESSREFRESH operator command is entered.