How can the ACFRPTDS report showing a violation be used to write a rule in ACF2?

book

Article ID: 185826

calendar_today

Updated On:

Products

CA ACF2 CA ACF2 - DB2 Option CA ACF2 for zVM CA ACF2 - z/OS CA ACF2 - MISC CA LDAP Server for z/OS CA PAM Client for Linux for zSeries CA Web Administrator for Top Secret

Issue/Introduction

The ACFRPTRV report picks up this violation:

R009777 20.063 03/03 09.53 DATASET VIOLATION RKEY=#PPAGCY
P1AMSRPT VOL=ABCABC DDN=PANDD1 DSN=ABC.DEF.PPANLIB
STEP0010 VOL=ABCABC PGM=PAN#2 LIB=CAI.ABC.V123.CBA3LINK
JOB11934 DA-OPN UPDATE $MODEAB NAM=AMIT SETHI ROL=ABCMD
AUL1 SRC=V0020 UID=AH010A01234 R009777 

How should a rule be written?

Cause

If the user R009777 is getting a violation for update access to dataset ABC.DEF.PPANLIB, the dataset rule needed would be

$key(ABC)
DEF.PPANLIB UID(AH010A01234*R009777) R(A) W(A)

Then the user would need to log off and back on for the new rule to take effect.

Environment

Release : 16.0

Component : CA ACF2 for z/OS

Resolution

From the output, we can see that the call is coming in as an update. This is irrespective of what you think it should be doing.

E009736 20.063 03/03 09.53 DATASET VIOLATION RKEY=#PPAGCY
P1AMSRPT VOL=STOR3D DDN=PANDD1 DSN=PAN.AGCY.PPANLIB
STEP0010 VOL=SWOEMA PGM=PAN#2 LIB=CAI.PAN.V146.CBA3LINK
JOB11934 DA-OPN UPDATE $MODEAB NAM=AMIT SETHI ROL=%CMDL2
AUL1 SRC=V0020 UID=AH010H13000 E009736
NEXTKEY: PAN

If the user needs access to this dataset, as suggested before, the rule needs to give this user access to read(a) and write(a).