setup a role(-) entry of last resort in an ACF2 ROLESET
search cancel

setup a role(-) entry of last resort in an ACF2 ROLESET

book

Article ID: 189213

calendar_today

Updated On:

Products

ACF2 ACF2 - DB2 Option ACF2 for zVM ACF2 - z/OS ACF2 - MISC LDAP SERVER FOR Z/OS PAM CLIENT FOR LINUX ON MAINFRAME WEB ADMINISTRATOR FOR TOP SECRET

Issue/Introduction

With the following rule in place, and a user with roles OTHER1 OTHER2 and ROLE1.
How can this user ONLY go to the nextkey rule CHKUIDS AFTER all the roles attached to the logonid have been validated
instead of after the validation for OTHER1 and then OTHER2 and then be allowed because of ROLE1.

$KEY(USEROLES) TYPE(SAF ROLESET       
 USER(USER1) SERVICE(UPDATE) ALLOW               
 ROLE(ROLE1) SERVICE(DELETE,UPDATE) ALLOW             
 ROLE(ROLE2) SERVICE(READ,ADD,DELETE,UPDATE) ALLOW    
 ROLE(ROLE3) SERVICE(READ,ADD,DELETE,UPDATE) ALLOW 
 ROLE(-)  NEXTKEY(CHKUIDs)   

The first role "OTHER1" would be validated and found not to have any specified access to the resource - so would match on 
the ROLE(-) rule line. and go off to the CHKUIDs rule.
then if no access is permitted, the validation will continue with OTHER2 

It would be preferred that the user's other roles be checked before the ROLE(-) be used.
The content of nextkey(CHKUIDS) is not relevant.

How can this be achieved?
 

  

 

Environment

Release : 16.0

Component : CA ACF2 for z/OS

Resolution


The problem with ROLE(-) at the end of a rule can be resolved by using the following...

create a ROLE record called 99999998 with an  INCLUDE(-)

ACF
SET XREF(ROL)
INSERT 99999998 INCLUDE(-) ROLE

Then insert a group record called 999999999 to include(9999999-) and
exclude(99999990 99999991 99999992 99999993 99999994 99999995 99999996 99999997 9999999) GROUP

ACF
SET XREF(ROL)) 
INSERT 99999999 INCLUDE(9999999-) EXCLUDE(99999990 99999991 99999992 99999993 99999994 99999995 99999996 99999997 9999999) GROUP


Issue an F ACF2,NEWXREF,TYPE(ROL)
and see where the new role is for any particular user using the ROLES command.
It should always be the last role and group for every user.

ACF
ROLES USER01
END

The level of masking of logonids within the include statement denotes the positioning (alphabetically) of the user's roles.
for example:
With the following roles...
ROLE AAA include(AA******)
ROLE BBB INCLUDE(AAAAAA**)
ROLE ZZZ INCLUDE(AAAAA***)
ROLE 99999998 INCLUDE(-)
ROLE CCC INCLUDE(AAA BBB ZZZ) GROUP
ROLE ABCD INCLUDE(C**) GROUP
ROLE 99999999 INCLUDE(9999999-) EXCLUDE(99999990 99999991 99999992 99999993 99999994 99999995 99999996 99999997 9999999)

The user's role table will look like this...

ACF
ROLES USER01
BBB ZZZ AAA 99999998 CCC ABCD 99999999
END


 

Powered by Wolken Software