Using SAF class for RACF

This section describes how to configure the internal access management options SAFClass and FILE for Central Governance when managing Transfer CFTs on z/OS platforms.

Configure SAFCASS

Use this procedure to enable SAFCLASS as an access management type for Transfer CFT z/OS. Supported versions include Transfer CFT versions 3.2.4 SP3 P1 or 3.2.4 SP4 and higher, and version 3.3.2 SP2 and higher.

  1. Select the Products tab to view available products.
  2. Click the Transfer CFT z/OS name to open its details page.
  3. Click Configuration to open the Configuration page and click Edit to open edit mode.
  1. In the sub-menu panel on the left, select the Access and security > Access management.
  2. Select Access type > Transfer CFT internal.
  3. In the Group database field, select SAF class.
  4. In the SAF class field, enter the resource name having a maximum of 8 characters.
  5. Click Save.

    If you modify this Transfer CFT configuration setting and it is used in a flow, a warning message indicates that the modification has an impact on one or more flows. If you confirm the configuration change, the affected flows are recalculated to reflect the new status. See Configuration change management.

  6. Click Deploy when you are ready to push the configuration change to Transfer CFT.

This action deploys the following values on the Transfer CFT:

  • am.internal.group_database = SAFCLASS
  • am.safclass= <RESOURCE>
    • Where <RESOURCE> is the name of a SAF resource defined via a security product such as RACF, TSS, or ACF2
Note Concerning (am.internal.role) roles, when using SAFCLASS some roles may be empty if they are not used in the SAFCLASS description. You should add values in these empty roles and deploy, then you can remove the values as needed and redeploy.

Configure FILE     

Use this procedure to enable FILE as an access management type for Transfer CFT z/OS. Supported versions include Transfer CFT versions 3.1.3 and higher.

  1. Select the Products tab to view available products.
  2. Click the Transfer CFT z/OS name to open its details page.
  3. Click Configuration to open the Configuration page and click Edit to open edit mode.
  1. In the menu panel on the left, select the Access and security > Access management.
  2. Select Access type > Transfer CFT internal.
  3. In the Group database field, select File.
  4. In the File field, enter the path to the file (string with a maximum length of 255 characters).
  5. Click Save.

    If you modify this Transfer CFT configuration setting and it is used in a flow, a warning message indicates that the modification has an impact on one or more flows. If you confirm the configuration change, the affected flows are recalculated to reflect the new status. See Configuration change management.

  6. Click Deploy when you are ready to push the configuration change to Transfer CFT.

This action deploys the following values on the Transfer CFT:

  • am.internal.group_database = FILE
  • am.internal.group_database.fname= <file_name>
    • Where the file name is the path to the file containing roles associated with each user.

Create a policy with SAFCLASS or FILE 

If you apply a policy that includes SAFCLASS or FILE to a Transfer CFT that does not run on a z/OS platform, the default value of SYSTEM is applied to the Transfer CFT.

  1. Select Products > Policies to open the Policy List page.
  2. Click Add policy to open the Add Policy page, or select an existing policy to modify.
  3. For a new policy complete the Policy Information section.
  4. In the left menu, select the Access and security > Access management.
  5. Select Access type > Transfer CFT internal.
  6. In the Group database field, select SAF class or File.
  7. Enter either the file name or the SAF class as described in the previous sections.
  8. You can modify as many other sections as required for the policy.
  9. Click Save.
  10. Click Deploy when you are ready to push the configuration change to Transfer CFT.

 

Central Governance | Document Directory

Related Links