With the following rule in place, and a user with roles OTHER1 OTHER2 and ROLE1.
$KEY(USEROLES) TYPE(SAF ROLESET
USER(USER1) SERVICE(UPDATE) ALLOW
ROLE(ROLE1) SERVICE(DELETE,UPDATE) ALLOW
ROLE(ROLE2) SERVICE(READ,ADD,DELETE,UPDATE) ALLOW
ROLE(ROLE3) SERVICE(READ,ADD,DELETE,UPDATE) ALLOW
ROLE(-) NEXTKEY(CHKUIDs)
The first role "OTHER1" would be validated and found not to have access to the resource - so would match on
the ROLE(-) rule line. and go off to the CHKUIDs rule.
It would be preferred that the users other roles be checked before the ROLE(-) be used.
How can this be achieved?
Release : 16.0
Component : CA ACF2 for z/OS
The problem with ROLE(-) at the end of a rule can be resolved by using the following...
1) create a role record called ZZZZUSRS with INCLUDE(-)
2) instead of a ruleline with "ROLE(-) NEXTKEY(CHKUIDs)" you could specify ROLE(ZZZZUSRS) NEXTKEY(CHKUIDs)
This would mean that all roles that a user has will be checked before the ZZZUSRS role allowing multiple passes
through the roleset until it gets to the last role ZZZUSRS.
Note: it does not matter what the role name is (alphabetically) because the include(-)
will always be at the end of the user's roles because it is the least specific in the includes.
There is one potential problem with this scenario.
If you have ROLE GROUP records, they will not be seen prior to theZZZUSRS record.
The order of roles that are attached to a user can be seen by issuing the ROLES command
in the ACF command processor.
ACF
ROLES USER01
END
The level of masking of logonids within the include statement denotes the positioning (alphabetically) of the user's roles.
for example:
With the following roles...
ROLE AAA include(AA******)
ROLE BBB INCLUDE(AAAAAA**)
ROLE ZZZ INCLUDE(AAAAA***)
ROLE ZZZUSRS INCLUDE(-)
ROLE CCC INCLUDE(AAA BBB ZZZ) GROUP
ROLE ABCD INCLUDE(C**) GROUP
The user's role table will look like this...
BBB ZZZ AAA ZZZUSRS CCC ABCD
If the site can setup roles without ROLE GROUPS, this process will work.