With the following rule in place, and a user with roles OTHER1 OTHER2 and ROLE1.
How can this user ONLY go to the nextkey rule CHKUIDS AFTER all the roles attached to the logonid have been validated
instead of after the validation for OTHER1 and then OTHER2 and then be allowed because of ROLE1.
$KEY(USEROLES) TYPE(SAF ROLESET
USER(USER1) SERVICE(UPDATE) ALLOW
ROLE(ROLE1) SERVICE(DELETE,UPDATE) ALLOW
ROLE(ROLE2) SERVICE(READ,ADD,DELETE,UPDATE) ALLOW
ROLE(ROLE3) SERVICE(READ,ADD,DELETE,UPDATE) ALLOW
The first role "OTHER1" would be validated and found not to have any specified access to the resource - so would match on
the ROLE(-) rule line. and go off to the CHKUIDs rule.
then if no access is permitted, the validation will continue with OTHER2
It would be preferred that the user's other roles be checked before the ROLE(-) be used.
The content of nextkey(CHKUIDS) is not relevant.
How can this be achieved?
Release : 16.0
Component : CA ACF2 for z/OS
The problem with ROLE(-) at the end of a rule can be resolved by using the following...