NON-CNCL privilege User IDs showing ACF2 dataset access violation message

book

Article ID: 129720

calendar_today

Updated On:

Products

CA ACF2 CA ACF2 - DB2 Option CA ACF2 for zVM CA ACF2 - z/OS CA ACF2 - MISC

Issue/Introduction



User IDs with NON-CNCL privilege shows ACF2 violation message in syslog and ACFRPTDS, but, the SEC-VIO count in logon ID does not appear to increase. Why does IDs with NON-CNCL privilege throw ACF2 dataset access violation error message. ACF2 test command shows access is allowed.

SYSLOG Messages:
ACF99913 ACF2 VIOLATION-04,02,STCLID,RMLS19,CORP.CICS.CPWR.CHKPT,N/A 
'IF ACCESS TO THIS RESOURCE IS REQUIRED, CONTACT THE ACF2 ADMINISTRATOR,


TSO, ACF, List of the logonid:
list STCLID
  STCLID               CH40151000SJSTCLID DEFAULT LID B.L.D.C.
                       DEPT(1000) ENTRPRZ(CH) FUNCRESP(S) JOBRESP(J) 
                       LOCATION(PD) REAL-LOC(4015)                        
  PRIVILEGES           NON-CNCL STC
  STATISTICS           CRE-TOD(00/00/00-00:00) SEC-VIO(471)  

Environment

Release:
Component: ACF2MS

Resolution

With NOVSAMFAIL set in Ruleopts record of the GSO, ACF2 will issue a violation message, but WILL NOT FAIL the actual validation but will instead take the existing WARN message in GSO and display it.

If the validation 'should be' allowed, update the rules to allow it. When all rules are corrected, then change Ruleopts record NOVSAMFAIL to VSAMFAIL by issuing the following command  to start enforcing the previously allowed VSAM OPEN requests. 

F ACF2,REFRESH(RULEOPTS)

A NON-CNCL userid will only report logging on a possible violation and you will not see a ACF99913.
NON-CNCL userid will now behave as expected.
 

Additional Information

Review : CA ACF2 Rule option Specifications (RULEOPTS)