ACF99913 ACF2 VIOLATION-04,00, for XCF Couple dataset for STC default logonid
search cancel

ACF99913 ACF2 VIOLATION-04,00, for XCF Couple dataset for STC default logonid

book

Article ID: 203657

calendar_today

Updated On:

Products

ACF2 ACF2 - DB2 Option ACF2 for zVM ACF2 - z/OS ACF2 - MISC LDAP SERVER FOR Z/OS PAM CLIENT FOR LINUX ON MAINFRAME WEB ADMINISTRATOR FOR TOP SECRET

Issue/Introduction

While making a new couple dataset available when entering SETXCF command, getting ACF violation ACF99913 ACF2 VIOLATION-04,00,xxxxxxxx,volser,SYSXXX.XCF.yyyy. xxxxxxxx is the started task default logonid.

 

Environment

Release : 16.0

Component : CA ACF2 for z/OS

Resolution

The ACFRPTDS report entry violation for SYSXXX.XCF.yyyy shows 'NOREOCRD' which indicates there is no dataset access rule:

 xxxxxxxx  20.323 18/11 10.57       DATASET  VIOLATION
 XCFAS    VOL=volser DDN=SYSnnnnn DSN=SYSXXX.XCF.yyyy
 IEFPROC  VOL=       PGM=IXCINJST LIB=SYS1.LINKLIB
          DA-OPN OUTPUT  NORECORD NAM=DEFAULT STC LID      ROL=
 MCF      SRC=STCINRDR            UID=xxxxxxxx

The jobname XCFAS is running under logonid xxxxxxxx which  is the default STC logonid.

In IBM documentation 'Considerations for all couple data sets':

Security Considerations
It is the responsibility of the installation to provide the security environment for the couple data sets. Consider protecting the couple data sets with with the same level of security as the XCF address space (XCFAS).

z/OS Security Server RACF System Programmer's Guide explains how to add a started procedure to the started procedures table.

Based on the above, IBM 'Sysplex eBusiness Security z/OS V1R7 Update' which would pertain to z/OS 1.7 and above:

Example 2-1 shows how to define XCFAS in the RACF STARTED class and
associate a specific user ID with the XCFAS address space. The user ID in this
example is XCFUSER.

Example 2-1 Define XCFAS in the RACF STARTED class
ADDUSER XCFUSER NAME('XCF USER') DFLTGRP(SUPMVS) OWNER(SUPMVS) NOPASSWORD
RDEFINE STARTED XCFAS.* OWNER(SUPMVS) UACC(READ) +
 STDATA(USER(XCFUSER) GROUP(SUPMVS) TRUSTED(YES))
SETROPTS RACLIST(STARTED) REFRESH

Based on Example 2-1 above the ACF2 equivalent would be:

ACF
SET LID
INSERT XCFUSER NAME(XCF USER) DFLTGRP(supmvs) RESTRICT NON-CNCL
SET CONTROL(GSO)    
INSERT STC.xcf STCID(XCFAS***) LOGONID(XCFUSER) 
F ACF2,REFRESH(STC) 

What the above commands do is to create a logonid XCFUSER that all started tasks that begin with XCFAS will be assigned. Since the logonid XCFUSER is NON-CNCL(ACF2 equivalent to RACF 'TRUSTED') the task XCFAS validations to datasets such as SYSXXX.XCF.yyyy would be allowed.