How can the ACFRPTDS report showing a violation be used to write a rule in ACF2?
search cancel

How can the ACFRPTDS report showing a violation be used to write a rule in ACF2?

book

Article ID: 185826

calendar_today

Updated On:

Products

ACF2 ACF2 - DB2 Option ACF2 for zVM ACF2 - z/OS ACF2 - MISC LDAP SERVER FOR Z/OS PAM CLIENT FOR LINUX ON MAINFRAME WEB ADMINISTRATOR FOR TOP SECRET

Issue/Introduction

The ACFRPTRV report picks up this violation:

R009777 20.063 03/03 09.53 DATASET VIOLATION RKEY=#PPAGCY
P1AMSRPT VOL=ABCABC DDN=PANDD1 DSN=ABC.DEF.PPANLIB
STEP0010 VOL=ABCABC PGM=PAN#2 LIB=CAI.ABC.V123.CBA3LINK
JOB11934 DA-OPN UPDATE $MODEAB NAM=AMIT SETHI ROL=ABCMD
AUL1 SRC=V0020 UID=AH010A01234 R009777 

How should a rule be written?

Environment

Release : 16.0

Component : CA ACF2 for z/OS

Cause

If the user R009777 is getting a violation for update access to dataset ABC.DEF.PPANLIB, the dataset rule needed would be

$key(ABC)
DEF.PPANLIB UID(AH010A01234*R009777) R(A) W(A)

Then the user would need to log off and back on for the new rule to take effect.

Resolution

From the output, we can see that the call is coming in as an update. This is irrespective of what you think it should be doing.

E009736 20.063 03/03 09.53 DATASET VIOLATION RKEY=#PPAGCY
P1AMSRPT VOL=STOR3D DDN=PANDD1 DSN=PAN.AGCY.PPANLIB
STEP0010 VOL=SWOEMA PGM=PAN#2 LIB=CAI.PAN.V146.CBA3LINK
JOB11934 DA-OPN UPDATE $MODEAB NAM=AMIT SETHI ROL=%CMDL2
AUL1 SRC=V0020 UID=AH010H13000 E009736
NEXTKEY: PAN

If the user needs access to this dataset, as suggested before, the rule needs to give this user access to read(a) and write(a).
Powered by Wolken Software