This section documents the steps to take to integrate SafeSFS with an existing SFS file pool. Two methods are provided.
Method A is used to convert existing SFS authorizations into SafeSFS rules. This method immediately replaces SFS authorizations with SafeSFS rules.
Method B is used to stage the conversion over a period of time. It differs from Method A by allowing existing SFS authorizations to be used unless they are overridden by an existing SafeSFS rule.
Method A: Replace Existing SFS Authorizations with SafeSFS Rules (Recommended)
Perform the following steps for each SFS filepool to be controlled by SafeSFS.
Step 1: Convert existing SFS authorizations to SafeSFS rules
Run the SAFECONV Utility to convert the existing SFS authorizations to SafeSFS rules. See Chapter 8 for details about the SAFECONV Utility.
SFS authorizations should not be updated during or after running the SAFECONV Utility. Use the OSFS option to produce a copy of the existing SFS authorizations if you wish to delete the existing SFS authorizations in the optional Step 3 below. The SAFECONV Utility appends to the rules files it creates when run multiple times. This allows you to stop and restart the utility.
Step 2: Set DEFER MODE OFF during SafeSFS customization
When performing the steps in the "Customize SafeSFS" section later in this chapter, specify a DEFER MODE OFF record in the SAFESFS CONTROL file for each SFS filepool's authorizations that are to be replaced by SafeSFS rules.
Step 3: Delete existing SFS authorizations (Optional)
The Fp OSFSAUTH file created by the SAFECONV utility may be used to remove the existing SFS authorizations if desired. To remove the SFS authorizations edit the Fp OSFSAUTH and change all occurrences of "GRANT AUTHORITY" to "REVOKE AUTHORITY". Then create a REXX exec by adding a "/* */" record at the top of the file and change the filetype of the file to "EXEC". The file may now be used as an exec to remove the SFS authorizations.
Notes: Removing the existing SFS authorizations will free up disk space within the mdisk that contains the SFS catalog. It may also significantly improve the performance of SFS access requests, SFS backups, and SFS restores. Removal of the existing SFS authorizations is highly recommended.
The SFS authorizations must be removed while ESECURITY is NOT present in the DMSPARMS file for the filepool. The REVOKE command will not function while ESECURITY is turned on.
Method B: Use SafeSFS Rules in Addition to Existing SFS Authorizations
Step 1: Set DEFER MODE ON during customization.
When customizing SafeSFS, specify a DEFER MODE ON record in the SAFESFS CONTROL file for each SFS file pool's authorizations that are to be used in addition to SafeSFS rules. This allows the existing SFS authorizations to be used. SafeSFS rules may be added gradually. The SafeSFS rules add to or override the SFS authorizations. When the SafeSFS rules have completely replaced the existing SFS authorizations, DEFER MODE may be turned off. It is not necessary to run the SAFECONV Utility.
Note: The SFS commands GRANT AUTHORITY and REVOKE AUTHORITY will no longer function.