How to determine ACF2 resource rule is in place for CA IDMS ALLOWUSERKEYCSA(NO) FACILITY IEAABD.DMPAKEY.
Article ID: 192319
Updated On:
Products
ACF2
ACF2 for zVM
ACF2 - z/OS
IDMS
Issue/Introduction
Changing CA IDMS to run with z/OS system parameter VSM ALLOWUSERKEYCSA(NO) and one of the steps is as follows:
“To ensure that complete dumps are always captured, the user who is associated with the startup of the CA IDMS
system needs to be granted READ access to facility IEAABD.DMPAKEY.”
How to verify in an ACF2 environment whether this access exists or not?
“To ensure that complete dumps are always captured, the user who is associated with the startup of the CA IDMS
system needs to be granted READ access to facility IEAABD.DMPAKEY.”
How to verify in an ACF2 environment whether this access exists or not?
Environment
Release : 16.0
Component : CA ACF2 for z/OS
Resolution
RACF information related to IEAABD.DMPAKEY resource:
When you specify an access authority on either the RDEFINE command or PERMIT
command, RACF® allows access to program dumps as follows:
A user who has READ or greater authority to the IEAABD.DMPAKEY resource
can obtain program dumps, even when the program is running in a TCB key
that is less than 8.
A user who has less than READ authority to the IEAABD.DMPAKEY resource
can never obtain program dumps when the program is running in a TCB key
that is less than 8.
Example of defining the IEAABD.DMPAKEY profile within RACF:
PERMIT IEAABD.DMPAKEY CLASS(FACILITY) ID(ASMITH) ACCESS(READ)
ACF2 has an internal CLASMAP which maps FACILITY to FAC.
The following ACFBATCH job should will determine what ACF2 resource rules
are defined under TYPE(FAC):
//STEP01 EXEC PGM=ACFBATCH
//SYSPRINT DD SYSOUT=*
//SYSIN DD *
SHOW CLASMAP
SET RESOURCE(FAC)
LIST LIKE(-)
Review the output and verify that the ACF2 Resource Class of FACILITY is mapped
to Type Code FAC.
Then review the resource rules to verify there is an IEAABD entry with
the following being an example (adjust UID according to site requirements):
$KEY(IEAABD) TYPE(FAC)
DMPAKEY UID(*) SERVICE(READ) ALLOW
When you specify an access authority on either the RDEFINE command or PERMIT
command, RACF® allows access to program dumps as follows:
A user who has READ or greater authority to the IEAABD.DMPAKEY resource
can obtain program dumps, even when the program is running in a TCB key
that is less than 8.
A user who has less than READ authority to the IEAABD.DMPAKEY resource
can never obtain program dumps when the program is running in a TCB key
that is less than 8.
Example of defining the IEAABD.DMPAKEY profile within RACF:
PERMIT IEAABD.DMPAKEY CLASS(FACILITY) ID(ASMITH) ACCESS(READ)
ACF2 has an internal CLASMAP which maps FACILITY to FAC.
The following ACFBATCH job should will determine what ACF2 resource rules
are defined under TYPE(FAC):
//STEP01 EXEC PGM=ACFBATCH
//SYSPRINT DD SYSOUT=*
//SYSIN DD *
SHOW CLASMAP
SET RESOURCE(FAC)
LIST LIKE(-)
Review the output and verify that the ACF2 Resource Class of FACILITY is mapped
to Type Code FAC.
Then review the resource rules to verify there is an IEAABD entry with
the following being an example (adjust UID according to site requirements):
$KEY(IEAABD) TYPE(FAC)
DMPAKEY UID(*) SERVICE(READ) ALLOW
Feedback
Yes
No
Powered by
