How do I restrict execute access in a zFS or TFS file system with ACF2

Document ID:  TEC1704996
Last Modified Date:  08/11/2017
{{active ? 'Hide' : 'Show'}} Technical Document Details

Products

  • CA ACF2 for z/OS

Components

  • CA ACF2 for z/OS:ACF2MS
Introduction:

z/OS 2.2 added support for FSEXEC calls.  You can prevent users from executing any file in a z/OS® File System (zFS) file system or Temporary File System (TFS) by defining a general resource profile in the FSEXEC class. This enables you to use external security commands to restrict z/OS UNIX access to the specified file system for most users while allowing selected users and groups to remain eligible for execute access. 

Question:

How do I restrict execute access in a zFS or TFS file system with ACF2?

Environment:
z/OS 2.2 and above
Answer:

When a file system is protected by an FSEXEC profile with UACC(NONE), only users and groups with UPDATE access authority or higher are eligible for execute file access. Eligible users are then subject to the usual authorization checking, which includes checking for superuser authority, ownership, permission bits, access control lists (ACLs), and UNIXPRIV authorities.

CA added support to ACF2 with ptf RO91933.  The added CLASMAP from the PTF set the record with a length of 44, mixed case, and a default type code of FSE.  The call that is made is a FASTAUTH call, so you need to add the type code to a resident directory.

TSO ACF
SET CONTROL(GSO)
CHANGE INFODIR TYPES(R-RFSE) ADD
F ACF2,REFRESH(INFODIR)

As an example, the zFS is called OMVS.ZFS.files.ADMIN.  A sample rule would look like this:

$KEY(OMVS) TYPE(FSE)
 ZFS.files.ADMIN UID(uid string that needs access) SERVICE(UPDATE) ALLOW

After any rules are added or changed, a REBUILD will be required:

F ACF2,REBUILD(FSE) 

 

 

 

Please help us improve!

Will this information enable you to resolve your issue?

Please tell us what we can do better.

{{feedbackText.length ? feedbackText.length : '0'}}/255

{{status}}

Not what you were looking for?

Search Again >

Product Information

Support by Product >

Communities

Join a Community >