search cancel

How to have a role(-) entry in an ACF2 ROLESET that will only be used after all of the user's roles have been validated.

book

Article ID: 189213

calendar_today

Updated On:

Products

ACF2 ACF2 - DB2 Option ACF2 for zVM ACF2 - z/OS ACF2 - MISC LDAP SERVER FOR Z/OS PAM CLIENT FOR LINUX ON MAINFRAME WEB ADMINISTRATOR FOR TOP SECRET

Issue/Introduction

With the following rule in place, and a user with roles OTHER1 OTHER2 and ROLE1.


$KEY(USEROLES) TYPE(SAF ROLESET       

 USER(USER1) SERVICE(UPDATE) ALLOW               

 ROLE(ROLE1) SERVICE(DELETE,UPDATE) ALLOW             

 ROLE(ROLE2) SERVICE(READ,ADD,DELETE,UPDATE) ALLOW    

 ROLE(ROLE3) SERVICE(READ,ADD,DELETE,UPDATE) ALLOW 

 ROLE(-)  NEXTKEY(CHKUIDs)   

The first role "OTHER1" would be validated and found not to have access to the resource - so would match on 
the ROLE(-) rule line. and go off to the CHKUIDs rule.
It would be preferred that the users other roles be checked before the ROLE(-) be used.
How can this be achieved?
 

  

 

Environment

Release : 16.0

Component : CA ACF2 for z/OS

Resolution


The problem with ROLE(-) at the end of a rule can be resolved by using the following...

create a ROLE record called 99999998 with an  INCLUDE(-)

ACF
SET XREF(ROL)
INSERT 99999998 INCLUDE(-) ROLE

Then insert a group record called 999999999 to include(9999999-) and
exclude(99999990 99999991 99999992 99999993 99999994 99999995 99999996 99999997 9999999)

ACF
SET XREF(ROL)) 
INSERT 99999999 INCLUDE(9999999-) EXCLUDE(99999990 99999991 99999992 99999993 99999994 99999995 99999996 99999997 9999999)


 issue an f acf2,newxref,type(rol)
and see where the new role is for any particular user
using the ROLES command.
It should always be the last role and group for every user.

Then instead of role(-) NEXTKEY(CHKUIDs)   
you would specify ROLE(99999999) NEXTKEY(CHKUIDs)   
Also ensure that a rule is never written to use role(99999998) 


ACF
ROLES USER01
END

The level of masking of logonids within the include statement denotes the positioning (alphabetically) of the user's roles.

for example:

With the following roles...

ROLE AAA include(AA******)
ROLE BBB INCLUDE(AAAAAA**)
ROLE ZZZ INCLUDE(AAAAA***)
ROLE 99999998 INCLUDE(-)
ROLE CCC INCLUDE(AAA BBB ZZZ) GROUP
ROLE ABCD INCLUDE(C**) GROUP
ROLE 99999999 INCLUDE(9999999-) EXCLUDE(99999990 99999991 99999992 99999993 99999994 99999995 99999996 99999997 9999999)

The user's role table will look like this...

BBB ZZZ AAA 99999998 CCC ABCD 99999999