CEA ENF security configuration

A z/OS UNIX BCPii application must be granted authority to listen to ENF68 events. With the CEA ENF controls, it is also possible to fine-tune which BCPii events a user is allowed to listen to.

This RACF example gives generic authority to the user id associated with a z/OS UNIX application authority to listen to any BCPii event:

AU user_id OMVS(Uid(n))
SETROPTS GENERIC(SERVAUTH)
RDEFINE SERVAUTH CEA.CONNECT UACC(NONE)                                
RDEFINE SERVAUTH CEA.SUBSCRIBE.ENF_0068* UACC(NONE)                    
PERMIT CEA.CONNECT CLASS(SERVAUTH) ID(user_id) ACCESS(READ)            
PERMIT CEA.SUBSCRIBE.ENF_0068* CLASS(SERVAUTH) ID(user_id) ACCESS(READ)
SETROPTS RACLIST(SERVAUTH) REFRESH

To give specific authority to only certain BCPii events, use the event qualifier as part of the profile name. The event qualifier maps to the event mask for ENF68 in the ENFREQ documentation in z/OS MVS Programming: Authorized Assembler Services Reference EDT-IXG. Hardware events are in the form ‘03xx00yy’ where xx is the event source (‘01’x = CPC, and ‘02’x =image) and yy denotes the particular event.

This RACF example allows user JOE authority to only receive events related to CPC command responses (CmdResp = ‘01’x):

AU JOE OMVS(Uid(5))
RDEFINE SERVAUTH CEA.CONNECT UACC(NONE)                                
RDEFINE SERVAUTH CEA.SUBSCRIBE.ENF_006803010001 UACC(NONE)
PERMIT CEA.CONNECT CLASS(SERVAUTH) ID(JOE) ACCESS(READ)            
PERMIT CEA.SUBSCRIBE.ENF_006803010001 CLASS(SERVAUTH) ID(JOE) ACCESS(READ)
SETROPTS RACLIST(SERVAUTH) REFRESH