How to use ACF TEST Subcommand to test resource access rules. Syntax and example on using the ACF TEST subcommand?
Release : 16.0
Component : CA ACF2 for z/OS
To use the TEST command there must first be a resource rule. In this example the following rule will be used:
ACF75052 RESOURCE RULE stgadmin STORED BY ABCD ON 04/17/20-13:24
$key(stgadmin) type(fac)
igd.- uid(uid of user) service(read) allow
idc.- uid(uid of user) log
ACF75051 TOTAL RECORD LENGTH= 250 BYTES, 6 PERCENT UTILIZED
The TEST subcommand takes these parameters:
To test this rule, issue the following TEST subcommand:
test stgadmin
When the period (.) appears, the TEST subcommand is active. Enter any of the TEST subcommand keywords to specify the particular environment wanted to be tested. Unspecified keywords inherit the default value for that keyword (if it has not yet been specified) or they inherit the value specified in the previous test and retain that value until a new value is explicitly specified for that keyword.
Test Subcommand Keywords
[Rsrcname(resourcemask)]
[LID(logonidmask)|Uid(uidmask)]
[Date(date)]
[RESET]
[SOurce(sourcemask)]
[Time(hhmm)]
{SErvice(Read,Update,Add,Delete)]
[ENd]
For example, the following keywords test whether the resource rule set STGADMIN lets the user USER access the SMS storage administration resources:
test stgadmin
. rsrcname(igd) uid(uid of user) service(read)
After entering the TEST subcommand keywords, the system displays all of the current values that describe the environment being tested. The last two lines of the display indicate whether the access is permitted, logged, or prevented:
test stgadmin
. rsrcname(igd) uid(uid of user) service(read) role(rolea)
ACF71114 THE FOLLOWING PARAMETERS ARE IN EFFECT:
DATE=04/02/04 TIME=1445 SOURCE=******** UID=uid of user
ROLE=ROLEA
SERVICE=(READ)
TARGET RESOURCE: RFAC STGADMIN.IGD
VALIDATED RULE LINE FROM STGADMIN TYPE FAC
IGD.- UID(uid of user) SERVICE(READ) ALLOW
RESULT: ACCESS WOULD BE ALLOWED
REASON: RESOURCE RULE
This example shows that the user is permitted read authority only because a resource rule exists that defines that access.
After the result displays, you can specify other keywords and values to define another environment for testing. The END subcommand terminates the TEST subcommand.
For more specific information regarding the TEST command and its subcommand please see documentation:
https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-mainframe-software/security/ca-acf2-for-z-os/16-0/administrating/administer-rules/resource-rules/process-resource-rules-using-the-acf-command-and-ispf-panel.html