ACF2 resource rule refusing access during TEST command

Article Id: 145159
Status: Published
Updated On: 06-05-2020 07:32
Products:
CA ACF2 , CA ACF2 - DB2 Option , CA ACF2 for zVM , CA ACF2 - z/OS , CA ACF2 - MISC
Issue/Introduction:

Receiving this violation :

ACF04056 ACCESS TO RESOURCE CPWR.PRODUCT.ABCD.ABC10001 TYPE RFAC BY USERABC NOT AUTHORIZED


ACF2 violation report shows :

REQUESTED RESOURCE                               REC  LOOKUP KEY               
UID                      SOURCE   CPU  MODULE   DISP     DSP-MOD  KEY-MOD  SERV
    DATE     TIME     JNAME    LID      NAME                 PRE RMC INT PST FIN
MLS     USER-SECLABEL RSRC-SECLABEL MODE   SRC     RRC      RSN                
                                                                               
RFAC-CPWR.PRODUCT.ABCD.ABC10001             *VIO  RFAC-CPWR                
USERABC OMVSDGRP         STCINRDR IPLK ACF9CAUT NO-RULE     -     DIRECTRY READ
20.034 02/03 15.56    USERABC USERABC COMPANY/LMS    -P    0   0  20   0  16
SAF RESOURCE CLASS FACILITY 



ACF2 rule is coded as follows :

l cpwr                                                                
 ACF75052 RESOURCE RULE CPWR STORED BY S934J ON 02/11/20-16:26        
 $KEY(CPWR) TYPE(FAC)                                                 
  PRODUCT.LICENSE.- UID(USERABC) SERVICE(UPDATE) PREVENT 
  PRODUCT.ABC.- - UID(*) ALLOW
  - UID(*) SERVICE(READ) LOG
 ACF75051 TOTAL RECORD LENGTH= 298 BYTES, 7 PERCENT UTILIZED          
 RESOURCE                                                             

Testing rule gives :

test CPWR                                              
 .  r(PRODUCT.ABCD.ABC10001) UID(USERABC)           
 ACF71114 THE FOLLOWING PARAMETERS ARE IN EFFECT:      
  DATE=02/14/20 TIME=0856 SOURCE=********  UID=E130LMS 
  LID=         ROLE=                                   
                                                       
  TARGET RESOURCE: RFAC CPWR.PRODUCT.ABCD.ABC10001   
                                                       
  NO RULE APPLIES IN RESOURCE RECORD CPWR TYPE FAC     
                                                       
  RESULT: ACCESS WOULD BE DENIED                       
  REASON: KEY MODIFIED BY DIRECTORY                    

Why does this rule does not permit  UID(USERABC)  access to RESOURCE CPWR.PRODUCT.ABCD.ABC10001  TYPE RFAC?

Environment:

Release : 16.0

Component : CA ACF2 for z/OS

Resolution:

If the SERVICE keyword is omitted, CA ACF2 assumes ALL services. Hence why it denies access since there is no rule that gives all service types.

In order for the TEST command to work properly for resource rules include the service type. To test for read access do the following:
test CPWR
. r(PRODUCT.ABCD.ABC10001 ) UID(USERABC) SERVICE(READ)

To test for update access do the following:
test CPWR
. r(PRODUCT.ABCD.ABC10001 ) UID(USERABC) SERVICE(UPDATE)

If the SERVICE keyword is mentioned in the TEST command, and is not on the rule line the user will be denied access as well. In order for the TEST command to find the rule line, it must be an exact match for the SERVICE keyword. To test for all access do the following:
test CPWR
. r(PRODUCT.ABC.ABC10001 ) UID(USERABC)