How to use ACF TEST Subcommand to test resource access rules.
Article ID: 189019
Updated On:
Products
ACF2
ACF2 - z/OS
ACF2 - MISC
Issue/Introduction
How to use ACF TEST Subcommand to test resource access rules. Syntax and example on using the ACF TEST subcomamnd.
Environment
Release : 16.0
Component : CA ACF2 for z/OS
Resolution
To use the TEST command there must first be a resource rule. In this example the following rule will be used:
ACF75052 RESOURCE RULE stgadmin STORED BY ABCDE01 ON 04/17/20-13:24
$key(stgadmin) type(fac)
igd.- uid(tfinpaynlt) service(read) allow
idc.- uid(tfinpayiso) log
ACF75051 TOTAL RECORD LENGTH= 250 BYTES, 6 PERCENT UTILIZED
The TEST subcommand takes these parameters:
To test this rule, issue the following TEST subcommand:
test stgadmin
When the period (.) appears, the TEST subcommand is active. Enter any of the TEST subcommand keywords to specify the particular environment wanted to be tested. Unspecified keywords inherit the default value for that keyword (if it has not yet been specified) or they inherit the value specified in the previous test and retain that value until a new value is explicitly specified for that keyword.
Test Subcommand Keywords
[Rsrcname(resourcemask)]
[LID(logonidmask)|Uid(uidmask)]
[Date(date)]
[RESET]
[SOurce(sourcemask)]
[Time(hhmm)]
{SErvice(Read,Update,Add,Delete)]
[ENd]
For example, the following keywords test whether the resource rule set STGADMIN lets the user TFINPAYNLT access the SMS storage administration resources:
test stgadmin
. rsrcname(igd) uid(tfinpaynlt) service(read)
After entering the TEST subcommand keywords, the system displays all of the current values that describe the environment being tested. The last two lines of the display indicate whether the access is permitted, logged, or prevented:
test stgadmin
. rsrcname(igd) uid(tfinpaynlt) service(read) role(arola)
ACF71114 THE FOLLOWING PARAMETERS ARE IN EFFECT:
DATE=04/02/04 TIME=1445 SOURCE=******** UID=TFINPAYNLT
ROLE=AROLA
SERVICE=(READ)
TARGET RESOURCE: RFAC STGADMIN.IGD
VALIDATED RULE LINE FROM STGADMIN TYPE FAC
IGD.- UID(TFINPAYNLT) SERVICE(READ) ALLOW
RESULT: ACCESS WOULD BE ALLOWED
REASON: RESOURCE RULE
This example shows that the user is permitted read authority only because a resource rule exists that defines that access.
After the result displays, you can specify other keywords and values to define another environment for testing. The END subcommand terminates the TEST subcommand.
ACF75052 RESOURCE RULE stgadmin STORED BY ABCDE01 ON 04/17/20-13:24
$key(stgadmin) type(fac)
igd.- uid(tfinpaynlt) service(read) allow
idc.- uid(tfinpayiso) log
ACF75051 TOTAL RECORD LENGTH= 250 BYTES, 6 PERCENT UTILIZED
The TEST subcommand takes these parameters:
* (asterisk) - Indicates that you want the last explicitly referenced rule set tested.
(no parameter) - Indicates that you want the last explicitly referenced rule set tested. The TEST subcommand operates the same whether you specify no parameters or an asterisk.
ruleid - Identifies the key of the rule set you want tested. To specify a rule set by its rule ID, you must have the authority to update the rule set, the SECURITY or AUDIT privilege level, or DECOMP authority as specified in the GSO RULEOPTS record. If the rule ID ends with a dash (-), enclose the rule ID in single quotes.
To test this rule, issue the following TEST subcommand:
test stgadmin
When the period (.) appears, the TEST subcommand is active. Enter any of the TEST subcommand keywords to specify the particular environment wanted to be tested. Unspecified keywords inherit the default value for that keyword (if it has not yet been specified) or they inherit the value specified in the previous test and retain that value until a new value is explicitly specified for that keyword.
Test Subcommand Keywords
[Rsrcname(resourcemask)]
[LID(logonidmask)|Uid(uidmask)]
[Date(date)]
[RESET]
[SOurce(sourcemask)]
[Time(hhmm)]
{SErvice(Read,Update,Add,Delete)]
[ENd]
For example, the following keywords test whether the resource rule set STGADMIN lets the user TFINPAYNLT access the SMS storage administration resources:
test stgadmin
. rsrcname(igd) uid(tfinpaynlt) service(read)
After entering the TEST subcommand keywords, the system displays all of the current values that describe the environment being tested. The last two lines of the display indicate whether the access is permitted, logged, or prevented:
test stgadmin
. rsrcname(igd) uid(tfinpaynlt) service(read) role(arola)
ACF71114 THE FOLLOWING PARAMETERS ARE IN EFFECT:
DATE=04/02/04 TIME=1445 SOURCE=******** UID=TFINPAYNLT
ROLE=AROLA
SERVICE=(READ)
TARGET RESOURCE: RFAC STGADMIN.IGD
VALIDATED RULE LINE FROM STGADMIN TYPE FAC
IGD.- UID(TFINPAYNLT) SERVICE(READ) ALLOW
RESULT: ACCESS WOULD BE ALLOWED
REASON: RESOURCE RULE
This example shows that the user is permitted read authority only because a resource rule exists that defines that access.
After the result displays, you can specify other keywords and values to define another environment for testing. The END subcommand terminates the TEST subcommand.
Additional Information
For more specific information regarding the TEST command and its subcommand please see documentation:
https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-mainframe-software/security/ca-acf2-for-z-os/16-0/administrating/administer-rules/resource-rules/process-resource-rules-using-the-acf-command-and-ispf-panel.html
Feedback
Yes
No
Powered by
