How to determine ACF2 resource rule is in place for CA IDMS ALLOWUSERKEYCSA(NO) FACILITY IEAABD.DMPAKEY.

book

Article ID: 192319

calendar_today

Updated On:

Products

CA ACF2 CA ACF2 for zVM CA ACF2 - z/OS CA IDMS

Issue/Introduction

Changing CA IDMS to run with z/OS system parameter VSM ALLOWUSERKEYCSA(NO) and one of the steps is as follows:

“To ensure that complete dumps are always captured, the user who is associated with the startup of the CA IDMS
system needs to be granted READ access to facility IEAABD.DMPAKEY.”

How to verify in an ACF2 environment whether this access exists or not? 

Environment

Release : 16.0

Component : CA ACF2 for z/OS

Resolution

RACF information related to IEAABD.DMPAKEY resource: 

When you specify an access authority on either the RDEFINE command or PERMIT 
command, RACF® allows access to program dumps as follows:

A user who has READ or greater authority to the IEAABD.DMPAKEY resource 
can obtain program dumps, even when the program is running in a TCB key 
that is less than 8.

A user who has less than READ authority to the IEAABD.DMPAKEY resource 
can never obtain program dumps when the program is running in a TCB key
that is less than 8.


Example of defining the IEAABD.DMPAKEY profile within RACF:
PERMIT IEAABD.DMPAKEY CLASS(FACILITY) ID(ASMITH) ACCESS(READ)


ACF2 has an internal CLASMAP which maps FACILITY to FAC.

The following ACFBATCH job should will determine what ACF2 resource rules
are defined under TYPE(FAC):

//STEP01 EXEC PGM=ACFBATCH
//SYSPRINT DD SYSOUT=*
//SYSIN DD *
SHOW CLASMAP
SET RESOURCE(FAC)
LIST LIKE(-)


Review the output and verify that the ACF2 Resource Class of FACILITY is mapped
to Type Code FAC.

Then review the resource rules to verify there is an IEAABD entry with
the following being an example (adjust UID according to site requirements):

$KEY(IEAABD) TYPE(FAC)
DMPAKEY UID(*) SERVICE(READ) ALLOW