STC's on the system are getting violations under type FSA. The resource seems to be the USS file system. What is the cause?
RFSA-OMVS.ZFS.WEBSRV.TOOLS *VIO RFSA-OMVS
uid STCINRDR sys1 ACF9CFAT NO-REC - DIRECTRY UPDT
yy.ddd mm/yy hh.mm xxxxxx yyyyy zzzzz OMVS ID 0 8 0 0 16
SAF RESOURCE CLASS FSACCESS
RESOURCE NAME: OMVS.ZFS.WEBSRV.TOOLS
Release : 16.0
Component : CA ACF2 for z/OS
IBM added a new function to check a user's authority to access the file system objects on z/OS UNIX zFS file systems using the new SAF FSACCESS resource class. This support was added by IBM in OA35970/OA35974 for z/OS 1.12 and 1.13. The CA ACF2 support for this was added with z/OS 1.13 support listed in Upgrade solution RI35635. Superuser authority is not checked for this access. This check is intended to be "coarse grained" - in that if the user is not authorized to this resource, then no further checking will be performed, and the user will not be allowed access to the zFS, even if they are a superuser. If the user is authorized to the z/OS UNIX zFS file system container profile, then the file permission bits and ACLs that are associated with the individual z/OS UNIX file system objects will then govern the access to the file or directory, or if CA SAF HFS security is enabled then the corresponding CA ACF2 resource rules govern access, as it is done today.
Since CA ACF2 protects resources by default, access to all users of zFS, including superusers, would be denied without adding needed resource rules with this support in place.
Note: This FSACCESS resource validation is only for UNIX zFS file systems - NOT hFS file systems.
IBM added this new level for a reason. So the first decision is to validate the security call, or bypass the call being made.
Validate the request:
For this example, the zFS is named: OMVS.ZFS.WEBSRV.TOOLS
CA ACF2 maintenance added a type code of FSA to the internal CLASMAP table for this new feature. To use a different type code, a user defined CLASMAP would be needed. The resource rule for the zFS would look like this:
$KEY(OMVS) TYPE(FSA)
ZFS.WEBSRV.TOOLS UID(uid string of the user) SERVICE(UPDATE) ALLOW
This new resource class uses FASTAUTH calls, so the rules need to be made resident in GSO:
SET CONTROL(GSO)
CHANGE INFODIR TYPES(R-RFSA) ADD
F ACF2,REFRESH(INFODIR)
F ACF2,REBUILD(FSA)
The REBUILD command will need to be issued after all rule changes.
Stop the security call from being made:
SET CONTROL(GSO)
CHANGE UNIXOPTS BYP-FSA
F ACF2,REFRESH(UNIXOPTS)