ACF2 SECURITY logonids Unable to use File Manager MQ component

book

Article ID: 141232

calendar_today

Updated On:

Products

CA ACF2 CA ACF2 - DB2 Option CA ACF2 for zVM CA ACF2 - z/OS CA ACF2 - MISC

Issue/Introduction

ACF2 logonids with NON-CNCL and SECURITY are allowed access to all datasets and resources so access cannot be prevented to the File Manager MQ FACILLITY class resource FMNMQ.DISABLE.system_name using ACF2 resource rules.

Environment

Release : 16.0

Component : CA ACF2 for z/OS

Resolution

Since ACF2 logonids with NON-CNCL and SECURITY are allowed access to all datasets and resources so access cannot be prevented to the File Manager MQ FACILLITY class resource FMNMQ.DISABLE.system_name using ACF2 resource rules.

To prevent logonids with NON-CNCL or SECURITY access to the File Manager MQ FACILLITY class resource FMNMQ.DISABLE.system_name the following SAFDEF can be used.

ACF
SET CONTROL(GSO)
INSERT SAFDEF.FMMQ FUNCRET(20) FUNCRSN(0) ID(FMMQ) MODE(IGNORE) - 
NOAPFCHK RACROUTE(REQUEST=AUTH CLASS=FACILITY ENTITY=FMNMQ.DISABLE.system_name) - 
RETCODE(0) USERID(*******)
F ACF2,REFRESH(SAFDEF)

 

Additional Information

For details see IBM File Manager for z/OS V14.1 documentation Section: Disabling Websphere MQ feature by system name.