Just an information. RussD has answered me with a nice post! There might be others in the future ( I hope not ) with similar doubts so I think It would be nice to put here what I received for future archive reference ( somewhat similar to Mark's post but in a different format ).
------ START----------- " Hi Avelino, The health checker resources that need to be setup are all within the XFACILIT resource class. In CA ACF2 by default, the resource type is XFC. The IBM Health Checker User guide shows the following... * Table 1. Access required for printing check output from the message buffer using HZSPRINT Check specification Access required for service resource Resource name * CHECK*(*,**check_name**) *QUERY: Read access to all checks * *HZS.*sysname*.QUERY CHECK*(*,*) *MESSAGES: Read access to individual check HZS.*sysname*.*check_owner*.MESSAGES *or * * *HZS.*sysname*.*check_owner*.*check_name*.MESSAGES CHECK*(**check_owner**,*) *QUERY: Read access to all checks for a HZS.*sysname*.*check_owner*.QUERY specific owner MESSAGES: Read access to individual check HZS.*sysname*.*check_owner*.MESSAGES *or * * *HZS.*sysname*.*check_owner*.*check_name*.MESSAGES CHECK*(**check_owner**,**check_name**) *QUERY: Read access to individual check* *HZS.*sysname*.*check_owner*.QUERY * * * or * * *HZS.*sysname*.*check_owner*.*check_name*.QUERY MESSAGES: Read access to individual check HZS.*sysname*.*check_owner*.*check_name*.MESSAGES *or* HZS.*sysname*.*check_owner*.*check_name*.MESSAGES So, if you want to write a rule to allow "user01" to have access to CHECK(check_owner,*) as a QUERY request you could write a rule as follows.. ACF SET RESOURCE(XFC) COMPILE * $KEY(HZS) TYPE(XFC) *sysname*.*check_owner*.QUERY UID(uid for user01) service(read) allow END STORE You will also need to create a resource directory for this resource type if it does not already exist ACF SET CONTROL(GSO) CHANGE INFODIR TYPES(R-RXFC) ADD F ACF2,REFRESH(INFODIR) F ACF2,REBUILD(XFC) in addition you will need to setup a logonid for the HZSPROC started task. this can be done with the following ACF SET LID INSERT HZSPROC STC NAME(HZS procedure logonid) uid(0) home(/) program(/bin/sh) group(omvsgrp) F ACF2,REBUILD(USR),CLASS(P) F ACF2,REBUILD(GRP),CLASS(P) F ACF2,OMVS you will also need to give the STC access to HZSPDATA dataset. This can be done by updating the sys1 dataset rule ACF SET RULE COMPILE * $KEY(SYS1) PRODSYS.HZSPDATA UID(uid for hzsproc) alloc(a) read(a) exec(a) write(a) Please review chapter 2 in * ** IBM Health Checker for z/OS: User’s Guide, SA22-7994-07, which supports z/OS Version 1 Release 10. * and let me know if there are any other resources that you need help in setting up." __________END____________ Thanks again, Avelino. On Wed, Oct 21, 2009 at 1:45 PM, Avelino Ferreira <afmf...@gmail.com> wrote: > Thanks a lot Mark !! > > On Wed, Oct 21, 2009 at 1:33 PM, Mark Zelden <mark.zel...@zurichna.com>wrote: > >> On Wed, 21 Oct 2009 14:23:48 -0500, Mark Zelden <mark.zel...@zurichna.com >> > >> wrote: >> >> >> > >> >There is an ACF2 cookbook, but I doubt it has this. Many vendors >> >(especially IBM) don't supply equivalent OEM security definitions for >> RACF >> >like CA does (not a surprise since they own TSS and ACF2). You just have >> >to understand something about administering those products in order to >> >translate. >> > >> >> One final comment: Someone else suggested contacting CA about this. >> I don't have a problem with "how to" questions on this list when things >> aren't documented or documented well (heck, "how to" questions get >> asked all the time on this list). But there is nothing wrong with that >> suggestion either. ACF2 support is top notch and they are always more >> than willing to help with problems or "how to" questions. They understand >> that products that document RACF external security don't usually explain >> how to do it under ACF2 or Top Secret. >> >> Mark >> -- >> Mark Zelden >> Sr. Software and Systems Architect - z/OS Team Lead >> Zurich North America / Farmers Insurance Group - ZFUS G-ITO >> mailto:mark.zel...@zurichna.com >> z/OS Systems Programming expert at >> http://expertanswercenter.techtarget.com/ >> Mark's MVS Utilities: http://home.flash.net/~mzelden/mvsutil.html >> >> ---------------------------------------------------------------------- >> For IBM-MAIN subscribe / signoff / archive access instructions, >> send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO >> Search the archives at http://bama.ua.edu/archives/ibm-main.html >> > > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html