How to use ACF TEST Subcommand to test resource access rules
search cancel

How to use ACF TEST Subcommand to test resource access rules

book

Article ID: 189019

calendar_today

Updated On:

Products

ACF2 ACF2 - z/OS ACF2 - MISC

Issue/Introduction

How to use ACF TEST Subcommand to test resource access rules. Syntax and example on using the ACF TEST subcommand? 

Environment

Release : 16.0

Component : CA ACF2 for z/OS

Resolution

To use the TEST command there must first be a resource rule. In this example the following rule will be used:

ACF75052 RESOURCE RULE stgadmin STORED BY ABCD ON 04/17/20-13:24     
$key(stgadmin) type(fac)
 igd.- uid(uid of user) service(read) allow
 idc.- uid(uid of user) log
ACF75051 TOTAL RECORD LENGTH= 250 BYTES, 6 PERCENT UTILIZED

The TEST subcommand takes these parameters:

* (asterisk) - Indicates that you want the last explicitly referenced rule set tested.
(no parameter) - Indicates that you want the last explicitly referenced rule set tested. The TEST subcommand operates the same whether you specify no parameters or an asterisk.
ruleid - Identifies the key of the rule set you want tested. To specify a rule set by its rule ID, you must have the authority to update the rule set, the SECURITY or AUDIT privilege level, or DECOMP authority as specified in the GSO RULEOPTS record. If the rule ID ends with a dash (-), enclose the rule ID in single quotes.


To test this rule, issue the following TEST subcommand:
test stgadmin

When the period (.) appears, the TEST subcommand is active. Enter any of the TEST subcommand keywords to specify the particular environment wanted to be tested. Unspecified keywords inherit the default value for that keyword (if it has not yet been specified) or they inherit the value specified in the previous test and retain that value until a new value is explicitly specified for that keyword.

Test Subcommand Keywords
[Rsrcname(resourcemask)]
[LID(logonidmask)|Uid(uidmask)]
[Date(date)]
[RESET]
[SOurce(sourcemask)]
[Time(hhmm)]
{SErvice(Read,Update,Add,Delete)]
[ENd]

For example, the following keywords test whether the resource rule set STGADMIN lets the user USER access the SMS storage administration resources:

test stgadmin
 .  rsrcname(igd) uid(uid of user) service(read)
 
After entering the TEST subcommand keywords, the system displays all of the current values that describe the environment being tested. The last two lines of the display indicate whether the access is permitted, logged, or prevented:

test stgadmin
 .  rsrcname(igd) uid(uid of user) service(read) role(rolea)
  ACF71114 THE FOLLOWING PARAMETERS ARE IN EFFECT:
  DATE=04/02/04 TIME=1445 SOURCE=******** UID=uid of user
  ROLE=ROLEA
  SERVICE=(READ)
 
  TARGET RESOURCE: RFAC STGADMIN.IGD

  VALIDATED RULE LINE FROM STGADMIN TYPE FAC
  IGD.- UID(uid of user) SERVICE(READ) ALLOW

  RESULT: ACCESS WOULD BE ALLOWED
  REASON: RESOURCE RULE
  
This example shows that the user is permitted read authority only because a resource rule exists that defines that access.
After the result displays, you can specify other keywords and values to define another environment for testing. The END subcommand terminates the TEST subcommand.

Additional Information

For more specific information regarding the TEST command and its subcommand please see documentation:
https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-mainframe-software/security/ca-acf2-for-z-os/16-0/administrating/administer-rules/resource-rules/process-resource-rules-using-the-acf-command-and-ispf-panel.html