Release : 16.0
Component : CA ACF2 for z/OS
Anytime message ACF04056 is received it means that the user doesn't have access to the resource mentioned. If the message is:
'ACF04056 ACCESS TO RESOURCE DISPLAY.GROUPS TYPE RSAF BY AB12345 NOT AUTHORIZED' user AB12345 doesn't have the access requested to class SAF resource DISPLAY.GROUPS.
Note that the TYPE field in the resource rule should just be the last 3 characters of the TYPE field in the ACF04056 message. The ACF04056 error provides the R in front as normal ACF2 resource records contain an R in the record key before the 3 character type code.
In order to find what access was attempted, run the ACFRPTRV report against the active SMF at the time of the ACF04056 violation for the user. Decompile the rule. Find the access that was attempted and write rules accordingly.
Sample TSO, ACF command to DECOMP a Resource rule:
ACF
SET RESOURCE(SAF)
DECOMP DISPLAY
Sample ACFRPTRV JCL:
//REPORT EXEC PGM=ACFRPTRV
//SYSPRINT DD SYSOUT=*
//* THE FOLLOWIND DDS SHOULD POINT TO CURRENT SMF
//* THE "D SMF" OPERATOR COMMAND CAN BE USED TO LIST CURRENT SMF
//RECMAN1 DD DISP=SHR,DSN=SYS1.MAN1
//RECMAN2 DD DISP=SHR,DSN=SYS1.MAN2
//RECMAN3 DD DISP=SHR,DSN=SYS1.MAN3
//SYSIN DD *
TITLE(ACFRPTRV)
MASK(AB12345)
/*