Need to remove NON-CNCL from a task logonid with CA ACF2.
search cancel

Need to remove NON-CNCL from a task logonid with CA ACF2.

book

Article ID: 138152

calendar_today

Updated On:

Products

ACF2 ACF2 - DB2 Option ACF2 - z/OS ACF2 - MISC

Issue/Introduction

CA ACF2 needing to remove Non-CNCL from a task logonid or a logonid with RESTRICT that run programs.

Environment

Release : 16.0

Component : CA ACF2 for z/OS

Resolution

Any user that needs to have NON-CNCL removed from their logonid has two options:

  1. Update rules and resource rules to allow access for the logonid. To get an idea of what resource rules need to be added run the ACFRPTRV report. To get an idea of what dataset rules need to be added run the ACFRPTDS report. Depending on your program(s) you may need to have different time lengths specified on the ACFRPTRV and the ACFRTPDS reports to accurately give you an idea of what access is being attempted. You may need do monthly, quarterly, yearly, or more. See sample report JCL and output below.

  2. Give the lognid the MAINT attribute and add the programs to the GSO MAINT record. For more details on the GSO MAINT record documentation.

Sample Report JCL and output

The ACFRPTDS and ACFRPTRV reports can be used to report on logonids that are granted access to datasets and resources because of the NON-CNCL privilege.

Sample ACFRPTDS report JCL follows. The LIDMASK parameter can be used to limit the report entries for a specific logonid with NON-CNCL:

//REPORT  EXEC PGM=ACFRPTDS                      
//SYSPRINT DD SYSOUT=*                           
//RECMAN1  DD DISP=SHR,DSN=SYS1.MAN1             
//RECMAN2  DD DISP=SHR,DSN=SYS1.MAN2             
//RECMAN3  DD DISP=SHR,DSN=SYS1.MAN3             
//SYSIN    DD *                                  
TITLE(ACFRPTDS)                                  
ALL                                              
LIDMASK(stclid1)    

Here is a sample entry from the report output. Look for "LOGGING" entries with NON-CNCL: 

SMFDMP   20.006 01/06 19.30       PROGRAM  LOGGING   NON-CANC        
SMFDMP   VOL=       DDN=         DSN=                                
IEFPROC  VOL=       PGM=IFASMFDP LIB=                                
STC06112 PRGNAM EXECUTE NON-CNCL NAM=SMF DUMP             ROL=       
SYS2     SRC=STCINRDR            UID=S            SMFDMP    

 

Sample ACFRPTRV report JCL follows. The MASK parameter can be used to limit the report entries for a specific logonid with NON-CNCL:

//REPORT  EXEC PGM=ACFRPTRV                       
//SYSPRINT DD SYSOUT=*                            
//RECMAN1  DD DISP=SHR,DSN=SYS1.MAN1              
//RECMAN2  DD DISP=SHR,DSN=SYS1.MAN2              
//RECMAN3  DD DISP=SHR,DSN=SYS1.MAN3              
//SYSIN    DD *                                   
TITLE(ACFRPTRV)                                   
ALL                                               
MASK(stclid1)                                     
/*

Here is a sample entry from the report output. Look for "NO-RULE" entries with NON-CNCL

RSDF-ISFCMD.ODSP.ULOG.JES2                       TRC  RSDF-ISFCMD               
02112BLAMI02XBLAMI02     A28LO902 SYS2 ACF9CAUT NO-RULE  NON-CNCL DIRECTRY READ 
20.007 01/07 09.48    USER002  USER002  MICHAEL USER02          0   0  20   0   4
SAF RESOURCE CLASS SDSF                                                         
                                                                                
RESOURCE NAME: ISFCMD.ODSP.ULOG.JES2       

Powered by Wolken Software