Creating CA-ACF2 Facility Classes

The Platform Server uses CA-ACF2 facility classes to determine whether a user is authorized to perform certain Platform Server maintenance functions.

The Platform Server uses following two types of facility classes to validate if a user is authorized for a function:
  • REXX/ISPF inquiry and profile authorization
  • Command Center functions
    Procedure
  1. Create the REXX/ISPF inquiry and profile facility under CA-ACF2.
    The GLOBAL BOSSID parameter, which is defined in GLOBAL Startup Parameters, defines a facility class that is used for authorization checking for:
    • The REXX/ISPF interface
    • The user profile

    If BOSSID=$FUSION:

    1. To define this facility under CA-ACF2, you can use the following commands: 
      ACF
? SET RULE
? COMPILE STORE
$KEY($FUSION) TYPE(FAC)
    2. To make a user a Platform Server ISPF/REXX administrator, give them READ authorization to the profile by using the following command: 
      UID(FUSADM) SERVICE(READ) ALLOW
    3. To make a user a Platform Server profile administrator, give them CONTROL authorization to the profile by using the following command: 
      UID(FUSADM) SERVICE(DELETE) ALLOW
    4. To complete the resource rule, enter the following command: 
       <ENTER>
? END

    For more information, see TIBCO® Managed File Transfer Platform Server for z/OS User's Guide.

  2. (Optional) Create a read only REXX/ISPF inquiry and profile facility.
    In addition to the processing defined in step 1, you can define an additional facility class to give ISPF users the authority to view but not update transfer requests. This facility adds the suffix .READ to the GLOBAL BOSSID parameter. When a TSO user has READ access to this facility class, the user can perform the following functions:
    • View all transfers.
    • Update only transfers where the transfer local user ID matches their TSO user ID.

    If BOSSID=$FUSION:

    1. To define this facility under CA-ACF2, use the following command: 
      ACF
? SET RULE
? COMPILE STORE
$KEY($FUSION.READ) TYPE(FAC)
    2. To make a user a Platform Server ISPF/REXX administrator, give them READ authorization to the previous facility by using the following command: 
      UID(FUSADM) SERVICE(READ) ALLOW
    3. To complete the resource rule, enter the following command: 
       <ENTER>
? END
    At this point, the Platform Server will also check facility class $FUSION.READ. If a user has access to this facility class, the user can read but not update transfer requests.
    Note: The .READ facility class is only checked if the user does not have access to the facility class defined by the BOSSID parameter.
  3. Create the Command Center facility classes.

    Four GLOBAL parameters define the names of the facility classes that are used to determine if a user is authorized for Command Center functions.

    See the following parameters defined in the GLOBAL member of the Platform Server SAMPLIB library. For more information, see GLOBAL Startup Parameters. 

    CCC_BROWSE_FACILITY=$CCC.BROWSE
CCC_ALTER_FACILITY=$CCC.ALTER
CCC_ADMIN_FACILITY=$CCC.ADMIN
CCC_TRANSFER_FACILITY=$CCC.TRANSFER

    1. To define these Command Center facilities under CA-ACF2, use the following commands: 
      ACF
? SET RULE
? COMPILE STORE
$KEY($CCC.BROWSE) TYPE(FAC)
$KEY($CCC.ALTER) TYPE(FAC)
$KEY($CCC.ADMIN) TYPE(FAC)
$KEY($CCC.TRANSFER) TYPE(FAC)
    2. Give the user appropriate rights using any of the following commands:
    To make a Command Center user authorized for all Command Center functions, give them READ authorization to the facility defined by the CCC_ADMIN_FACILITY parameter: 

    $KEY($CCC.ADMIN) TYPE(FAC)
UID(userid) SERVICE(READ) ALLOW

    To make a Command Center user authorized for inquiry on completed transfers, give them READ authorization to the facility defined by the CCC_BROWSE_FACILITY parameter: 

    $KEY($CCC.BROWSE) TYPE(FAC)
UID(userid) SERVICE(READ) ALLOW

    To make a Command Center user authorized for altering transfers on the Platform Server queue, give them READ authorization to the facility defined by the CCC_ALTER_FACILITY parameter: 

    $KEY($CCC.ALTER) TYPE(FAC)
UID(userid) SERVICE(READ) ALLOW

    To make a Command Center user authorized for initiating transfers, give them READ authorization to the facility defined by the CCC_TRANSFER_FACILITY parameter: 

    $KEY($CCC.TRANSFER) TYPE(FAC)
UID(userid) SERVICE(READ) ALLOW