search cancel

How to have a role(-) entry in an ACF2 ROLESET that will only be used after all of the user's roles have been validated.

book

Article ID: 189213

calendar_today

Updated On:

Products

ACF2 ACF2 - DB2 Option ACF2 for zVM ACF2 - z/OS ACF2 - MISC LDAP SERVER FOR Z/OS PAM CLIENT FOR LINUX ON MAINFRAME WEB ADMINISTRATOR FOR TOP SECRET

Issue/Introduction

With the following rule in place, and a user with roles OTHER1 OTHER2 and ROLE1.


$KEY(USEROLES) TYPE(SAF ROLESET       

 USER(USER1) SERVICE(UPDATE) ALLOW               

 ROLE(ROLE1) SERVICE(DELETE,UPDATE) ALLOW             

 ROLE(ROLE2) SERVICE(READ,ADD,DELETE,UPDATE) ALLOW    

 ROLE(ROLE3) SERVICE(READ,ADD,DELETE,UPDATE) ALLOW 

 ROLE(-)  NEXTKEY(CHKUIDs)   

The first role "OTHER1" would be validated and found not to have access to the resource - so would match on 
the ROLE(-) rule line. and go off to the CHKUIDs rule.
It would be preferred that the users other roles be checked before the ROLE(-) be used.
How can this be achieved?
 

  

 

Environment

Release : 16.0

Component : CA ACF2 for z/OS

Resolution


The problem with ROLE(-) at the end of a rule can be resolved by using the following...

1) create a role record called ZZZZUSRS with INCLUDE(-)
2) instead of a ruleline with "ROLE(-)  NEXTKEY(CHKUIDs)"   you could specify ROLE(ZZZZUSRS) NEXTKEY(CHKUIDs)

This would mean that all roles that a user has will be checked before the ZZZUSRS role allowing multiple passes
through the roleset until it gets to the last role ZZZUSRS.
Note: it does not matter what the role name is (alphabetically) because the include(-)
will always be at the end of the user's roles because it is the least specific in the includes.

There is one potential problem with this scenario.
If you have ROLE GROUP records, they will not be seen prior to theZZZUSRS record.
The order of roles that are attached to a user can be seen by issuing the ROLES command
in the ACF command processor.

ACF
ROLES USER01
END

The level of masking of logonids within the include statement denotes the positioning (alphabetically) of the user's roles.

for example:

With the following roles...

ROLE AAA include(AA******)
ROLE BBB INCLUDE(AAAAAA**)
ROLE ZZZ INCLUDE(AAAAA***)
ROLE ZZZUSRS INCLUDE(-)
ROLE CCC INCLUDE(AAA BBB ZZZ) GROUP
ROLE ABCD INCLUDE(C**) GROUP

The user's role table will look like this...

BBB ZZZ AAA ZZZUSRS CCC ABCD


If the site can setup roles without ROLE GROUPS, this process will work.