ACF2 R16 and zos 2.2.
Intermittent problem, where for a period of time right after IPL, a pgm=ADRDSSU job (IBM’s DSS utility) fails with acf2 vios. Before the IPL and at some point later, after the IPL, the job works fine (no vios).
Here are samples of the error msgs
1) ACF99913 ACF2 VIOLATION-00,05… and from the dss pgm ADR402E (001)-SB008(01), AUTHORIZATION CHECK FAILED FOR DATA SET…
2) ACF99913 ACF2 VIOLATION-00,09… and ADR402E (001)-AUTH (16), AUTHORIZATION CHECK FAILED FOR DATA SET…
The logonid involved has the maint privilege, and there are related gso maint records.
Release : 16.0
Component : CA ACF2 for z/OS
The GSO MAINT record environment not matching dataset violations could be due to the program pathing environment and the 'Active Library List'. The following provides details on the 'Active Library List'.
When CA ACF2 validates access to a program-pathed data set, it takes special measures to ensure that only the defined library and program combination are used to gain access to the data set. To ensure this level of integrity, CA ACF2 maintains a list of active libraries. The active library list names all the libraries from which the executing program can fetch another program or subroutine.
A program name, as used in the PGM parameter of an access rule, is a load module whose name is derived from the JCL used to execute this job step for a batch job. In the program pathing situation, CA ACF2 must take into account that a particular routine might have been entered through LINK/XCTL/LOAD or ATTACH and not through a simple external subroutine link edited with the load module. When another routine is entered through one of these macros, the program name used for data set access validation remains the name specified in the JCL. Note:The active library list support applies to batch processing, not to batch execution of the TMP (IKJEFT01 and alternate entry points.)
Whenever a program is fetched, CA ACF2 updates the active library list to include the name of the program and the library from which the program was fetched. At the time that a data set is actually opened, the routine in control might not be the original JCL indicated CSECT. Therefore, CA ACF2 validates the access using the program name found in the JCL with all the libraries found on the active library list that have actually been fetched.
A special program pathing trace is availabe to further help you in determining a program pathing environment. When PP-TRC (traces all accesses) or PP-TRCV (traces violations only) are on in a logonid record, batch jobs run under that logonid are traced and SMF records containing the Active Library List are cut. These trace records can be viewed using the Data Set/Program Access Report (ACFRPTDS).
The ACFRPTDS report with PPTRACE entries shows for the violations three programs ADRDSSU, CBRUXCUA and EDGLCSUX.
The programs listed after the library name are the programs that have been fetched form that library.
CA12202 20.027 01/27 08.19 DATASET PP TRACE
FGHJXDFD VOL=SYS333 DDN= DSN=ACF1234.S.QWE.ASD.VVVEXEC
S005 VOL= PGM=ADRDSSU LIB=SYS1.LINKLIB
JOB97139 INSTLL INPUT NAM=SMITHY,DAVID O ROL=
SYSY SAF SRC=BB12345V UID=Q AAAAWWWWEEE
ACTIVE LIBRARY LIST:
SYS1.LINKLIB <- GSO LINKLST DATASET
ADRDSSU CBRUXCUA EDGLCSUX
The GSO MAINT record only accounts for ADRDSSU, programs CBRUXCUA and EDGLCSUX should be added to the GSO MAINT record to address the violations.
CBRUXCUA and EDGLCSUX are DFSMSrmm programs.