Getting unexpected results when using the ACF TEST sub-command with a resource rule.
Receiving this violation :
ACF04056 ACCESS TO RESOURCE TEST.PRODUCT.ABCD.ABC10001 TYPE RFAC BY USERABC NOT AUTHORIZED
ACF2 violation report shows :
REQUESTED RESOURCE REC LOOKUP KEY
UID SOURCE CPU MODULE DISP DSP-MOD KEY-MOD SERV
DATE TIME JNAME LID NAME PRE RMC INT PST FIN
MLS USER-SECLABEL RSRC-SECLABEL MODE SRC RRC RSN
RFAC-TEST.PRODUCT.ABCD.ABC10001 *VIO RFAC-TEST
USERABC OMVSDGRP STCINRDR sys1 ACF9CAUT NO-RULE - DIRECTRY READ
20.034 02/03 15.56 USERABC USERABC COMPANY/LMS -P 0 0 20 0 16
SAF RESOURCE CLASS FACILITY
ACF2 rule is coded as follows :
l test
ACF75052 RESOURCE RULE TEST STORED BY xxxxxx ON 02/11/20-16:26
$KEY(TEST) TYPE(FAC)
PRODUCT.LICENSE.- UID(USERABC) SERVICE(UPDATE) PREVENT
PRODUCT.ABC.- - UID(*) ALLOW
- UID(*) SERVICE(READ) LOG
ACF75051 TOTAL RECORD LENGTH= 298 BYTES, 7 PERCENT UTILIZED
RESOURCE
Testing rule gives :
test TEST
. r(PRODUCT.ABCD.ABC10001) UID(USERABC)
ACF71114 THE FOLLOWING PARAMETERS ARE IN EFFECT:
DATE=02/14/20 TIME=0856 SOURCE=******** UID=xxxxxxx
LID= ROLE=
TARGET RESOURCE: RFAC TEST.PRODUCT.ABCD.ABC10001
NO RULE APPLIES IN RESOURCE RECORD TEST TYPE FAC
RESULT: ACCESS WOULD BE DENIED
REASON: KEY MODIFIED BY DIRECTORY
Why does this rule does not permit UID(USERABC) access to RESOURCE TEST.PRODUCT.ABCD.ABC10001 TYPE RFAC?
Release : 16.0
Component : CA ACF2 for z/OS
If the SERVICE keyword is omitted, CA ACF2 assumes ALL services. Hence why it denies access since there is no rule that gives all service types.
In order for the TEST command to work properly for resource rules include the service type. To test for read access do the following:
test TEST
. r(PRODUCT.ABCD.ABC10001 ) UID(USERABC) SERVICE(READ)
To test for update access do the following:
test TEST
. r(PRODUCT.ABCD.ABC10001 ) UID(USERABC) SERVICE(UPDATE)
If the SERVICE keyword is mentioned in the TEST command, and is not on the rule line the user will be denied access as well. In order for the TEST command to find the rule line, it must be an exact match for the SERVICE keyword. To test for all access do the following:
test TEST
. r(PRODUCT.ABC.ABC10001 ) UID(USERABC)