Difference between Resource IEAABD.DMPAUTH and the DUMPAUTH privilege in ACF2

book

Article ID: 142657

calendar_today

Updated On:

Products

CA ACF2 CA ACF2 - z/OS CA ACF2 - MISC

Issue/Introduction

What is the difference between this resource and DUMPAUTH on the LID record?

Cause

IBM code can control dumping with SYSUDUMP, SYSABEND, and SYSMDUMP statements of address spaces that contain controlled programs by defining a profile to protect a resource called IEAABD.DMPAUTH in the FACILITY general resource class.

Environment

Release : 16.0

Component : CA ACF2 for z/OS

Resolution

IEAABD.DMPAUTH resource call comes from IBM code to control dumping with SYSUDUMP, SYSABEND, and SYSMDUMP statements of address spaces.  ACF2 will suppress a dump if the environment in use is PROGRAM PATHED, or EXECUTE only.  When this happens, the ACFRPTDS report will show DUMPAUTH in the rmrc field of the report.  The DUMPAUTH attribute in a logonid record is ACF2 only and allows a logonid to take a user dump to the SYSUDUMP or SYSABEND ddnames, rather than to the system dump data sets even if it is running a program that is from an execute-only library, or is using Program Pathing in ACF2.  This is done because these rules would make the files as unreadable, but a dump would allow you to read the data, getting around security rules.

IEAABD.DMPAUTH access should be given to users that need to debug their own programs.  DUMPAUTH should only be given to personnel assigned to debug a problem that requires the special data be used.

Additional Information

IBM defintion of IEAABD.DMPAUTH:  https://www.ibm.com/support/knowledgecenter/en/SSLTBW_2.1.0/com.ibm.zos.v2r1.icha700/pdmpfac.htm