With the following rule in place, and a user with roles OTHER1 OTHER2 and ROLE1.
$KEY(USEROLES) TYPE(SAF ROLESET
USER(USER1) SERVICE(UPDATE) ALLOW
ROLE(ROLE1) SERVICE(DELETE,UPDATE) ALLOW
ROLE(ROLE2) SERVICE(READ,ADD,DELETE,UPDATE) ALLOW
ROLE(ROLE3) SERVICE(READ,ADD,DELETE,UPDATE) ALLOW
The first role "OTHER1" would be validated and found not to have access to the resource - so would match on
the ROLE(-) rule line. and go off to the CHKUIDs rule.
It would be preferred that the users other roles be checked before the ROLE(-) be used.
How can this be achieved?
Release : 16.0
Component : CA ACF2 for z/OS
The problem with ROLE(-) at the end of a rule can be resolved by using the following...
The level of masking of logonids within the include statement denotes the positioning (alphabetically) of the user's roles.
With the following roles...
ROLE AAA include(AA******)
ROLE BBB INCLUDE(AAAAAA**)
ROLE ZZZ INCLUDE(AAAAA***)
ROLE 99999998 INCLUDE(-)
ROLE CCC INCLUDE(AAA BBB ZZZ) GROUP
ROLE ABCD INCLUDE(C**) GROUP
ROLE 99999999 INCLUDE(9999999-) EXCLUDE(99999990 99999991 99999992 99999993 99999994 99999995 99999996 99999997 9999999)
The user's role table will look like this...
BBB ZZZ AAA 99999998 CCC ABCD 99999999