Running a DFSMSdss-authorized storage administrator program and specify the ADMINISTRATOR keyword however still getting violations, why?

search cancel

Running a DFSMSdss-authorized storage administrator program and specify the ADMINISTRATOR keyword however still getting violations, why?

book

Article ID: 16862

calendar_today

Updated On:

Products

ACF2 ACF2 - DB2 Option ACF2 for zVM ACF2 - z/OS ACF2 - MISC PanApt PanAudit

Issue/Introduction

Running a DFSMSdss-authorized storage administrator program and specify the ADMINISTRATOR keyword however still getting violations, why?

Environment

Release:
Component: ACF2MS

Resolution

To act as a DFSMSdss-authorized storage administrator, specify the ADMINISTRATOR keyword on the appropriate DFSMSdss command. DFSMSdss-initiated access checking to data sets and catalogs is bypassed. If you are not authorized to use the ADMINISTRATOR keyword, the command ends with an error message.

To use the ADMINISTRATOR keyword, all of the following must be true:

- FACILITY class is active.
- Applicable FACILITY class profile is defined.
- You have READ access to that profile.

The following are the names and descriptions of the FACILITY class profiles for the ADMINISTRATOR keyword.

STGADMIN.ADR.STGADMIN.COMPRESS
STGADMIN.ADR.STGADMIN.CONSOLID
STGADMIN.ADR.STGADMIN.COPY
STGADMIN.ADR.STGADMIN.COPY.DELETE
STGADMIN.ADR.STGADMIN.COPY.RENAME
STGADMIN.ADR.STGADMIN.DEFRAG
STGADMIN.ADR.STGADMIN.DUMP
STGADMIN.ADR.STGADMIN.DUMP.DELETE
STGADMIN.ADR.STGADMIN.PRINT
STGADMIN.ADR.STGADMIN.RELEASE
STGADMIN.ADR.STGADMIN.RESTORE
STGADMIN.ADR.STGADMIN.RESTORE.RENAME

This translate to ACF2 resource rule for Resource Class Facility with resource name matching the above FACILITY class profiles. For example:

$KEY(STGADMIN) TYPE(FAC)
ADR.STGADMIN.COMPRESS UID(uid string for user) ALLOW
ADR.STGADMIN.CONSOLID UID(uid string for user) ALLOW
ADR.STGADMIN.COPY UID(uid string for user) ALLOW
ADR.STGADMIN.COPY.DELETE UID(uid string for user) ALLOW
ADR.STGADMIN.COPY.RENAME UID(uid string for user) ALLOW
ADR.STGADMIN.DEFRAG UID(uid string for user) ALLOW
ADR.STGADMIN.DUMP UID(uid string for user) ALLOW
ADR.STGADMIN.DUMP.DELETE UID(uid string for user) ALLOW
ADR.STGADMIN.PRINT UID(uid string for user) ALLOW
ADR.STGADMIN.RELEASE UID(uid string for user) ALLOW
ADR.STGADMIN.RESTORE UID(uid string for user) ALLOW
ADR.STGADMIN.RESTORE.RENAME UID(uid string for user) ALLOW

** where 'uid string for user' would be the ACF UID string for the logonid running the job with the 'ADMINISTRATOR' keyword, and the appropriate rule entry that corresponds to the commands in the job.

Sample ADRDSSU doing a Copy/Renname, with the 'ADMINISTRATOR' keyword:

//SYSAETC JOB 118100000,CLASS=A,NOTIFY=USER002,MSGCLASS=X
//SYSAVAR EXEC PGM=ADRDSSU,REGION=0M,
// PARM='UTILMSG=YES'
//SYSPRINT DD SYSOUT=*
//SYSUDUMP DD SYSOUT=*
//SYSIN DD *
COPY DS( -
INCLUDE( -
TESTZ23.ZFS1234.VAR)) -
RENAMEU(TESTZ23.ZFS1234.VAR -
USER002.ZFS1234.VAR) -
TOL(ENQF) -
ALLD(*) -
NULLSTORCLAS -
BYPASSACS(**) -
ODY(SYS123) -
FORCE -
ADMINISTRATOR
/*
//

Sample SECTRACE showing the FACILITY Resource Class validation:

CAS21D0I TRACEID: MD EVENT#: 00026744
CAS21D0I JOBNAME: SYSAETC USERID: USER002 ASID: 0030
CAS21D1I PROGRAM: ADRRI01 RB CURR: ADRRI01 APF: YES SFR/RFR: 0/0:0
CAS21D3I SAFDEF: GENAUTH INTERNAL MODE: GLOBAL
CAS2200I RACROUTE REQUEST=AUTH,CLASS='FACILITY',RELEASE=1.9,ATTR=READ,
CAS2200I DSTYPE=N,ENTITY=('STGADMIN.ADR.STGADMIN.COPY.RENAME'),
CAS2200I GENERIC=ASIS,LOG=ASIS,MSGSP=0,WORKA=

Feedback

thumb_up Yes

thumb_down No