ACF99913 violation with SETXCF command and ACF2 permissions for the Default STC logonid
search cancel

ACF99913 violation with SETXCF command and ACF2 permissions for the Default STC logonid

book

Article ID: 203878

calendar_today

Updated On:

Products

ACF2 ACF2 - z/OS ACF2 - MISC

Issue/Introduction

Troubles with SETXCF command and ACF2 permissions. Couple datasets SYSPLX.UKNPLX01.XCF.CDS03 can be allocated without any problems. To make new couple dataset available the SETXCF command was issued, but without success. There are 2 LPARs in that SYSPLEX, running z/OS 2.3 at the same level on both members.

MCF      20323 13:35:09.99 JTTS7401 00000290  SETXCF COUPLE,ACOUPLE=(SYSPLX.UKNPLX01.XCF.CDS03)                      
MCF      20323 13:35:09.99 JTTS7401 00000090  IXC309I SETXCF COUPLE,ACOUPLE REQUEST FOR SYSPLEX WAS ACCEPTED         
MCF      20323 13:35:09.99          00000090  IXC260I ALTERNATE COUPLE DATA SET REQUEST FROM SYSTEM 008              
                                008 00000090  MCF FOR SYSPLEX IS NOW BEING PROCESSED.                                
                                008 00000090  DATA SET:  SYSPLX.UKNPLX01.XCF.CDS03                                   
MCF      20323 13:35:10.00          00000294  IEF196I IEF237I CE00 ALLOCATED TO SYS00137                             
MCF      20323 13:35:10.00          00000285  ACF99913 ACF2 VIOLATION-04,00,JSZZZZZ,UKNCF1,SYSPLX.UKNPLX01.XCF.CDS03,
                                              N/A                                                                    
MCF      20323 13:35:10.00          00000294  IEF196I ACF99913 ACF2 VIOLATION-04,00,JSZZZZZ,UKNCF1,                  
MCF      20323 13:35:10.00          00000294  IEF196I SYSPLX.UKNPLX01.XCF.CDS03,N/A                                  
MCF      20323 13:35:10.00          00000285  ACF90913  -DATASET CANNOT BE OPENED; AUTHORIZATION IS REQUIRED.        
MCF      20323 13:35:10.00          00000294  IEF196I ACF90913  -DATASET CANNOT BE OPENED; AUTHORIZATION IS REQUIRED.
MCF      20323 13:35:10.01          00000294  IEF196I IEF285I   SYSPLX.UKNPLX01.XCF.CDS03                    KEPT    
MCF      20323 13:35:10.01          00000090  IXC250I ALTERNATE COUPLE DATA SET REQUEST FAILED FOR DATA SET 015      
                                015 00000090  SYSPLX.UKNPLX01.XCF.CDS03 FOR SYSPLEX:                                 
                                015 00000090  THE CAUSE OF THE FAILURE IS UNKNOWN                                    
MCF      20323 13:35:10.01          00000294  IEF196I IEF285I   VOL SER NOS= UKNCF1.                                 

Unable to identify the reason. The ACF2 administrator verified permission settings and all permissions granted,  why is JSZZZZZ User occurring in the message when the SETXCF command is issued? That's the default STC id.

Environment

Release : 16.0

Component : CA ACF2 for z/OS

Resolution

The ACFRPTDS report entry violation for SYSPLX.UKNPLX01.XCF.CDS01 shows 'NOREOCRD' which indicates there is no dataset access rule SYSPLX:

JSZZZZZ 20.323 18/11 10.57 DATASET VIOLATION
XCFAS VOL=UKNCF1 DDN=SYS00129 DSN=SYSPLX.UKNPLX01.XCF.CDS01
IEFPROC VOL= PGM=IXCINJST LIB=SYS1.LINKLIB
DA-OPN OUTPUT NORECORD NAM=DEFAULT STC LID ROL=
MCF SRC=STCINRDR UID=J1SZZZZZZZZ

The jobname XCFAS is running under logonid JSZZZZZ which you indicated is the default STC logonid.

The following was found in the IBM documentation 'Considerations for all couple data sets':

Security Considerations
It is the responsibility of the installation to provide the security environment for the couple data sets. Consider protecting the couple data sets with with the same level of security as the XCF address space (XCFAS).

z/OS Security Server RACF System Programmer's Guide explains how to add a started procedure to the started procedures table.

Based on the above, IBM 'Sysplex eBusiness Security z/OS V1R7 Update' pertains to z/OS 1.7 and above:

Example 2-1 shows how to define XCFAS in the RACF STARTED class and
associate a specific user ID with the XCFAS address space. The user ID in this
example is XCFUSER.

Example 2-1 Define XCFAS in the RACF STARTED class
ADDUSER XCFUSER NAME('XCF USER') DFLTGRP(SUPMVS) OWNER(SUPMVS) NOPASSWORD
RDEFINE STARTED XCFAS.* OWNER(SUPMVS) UACC(READ) +
STDATA(USER(XCFUSER) GROUP(SUPMVS) TRUSTED(YES))
SETROPTS RACLIST(STARTED) REFRESH

Based on Example 2-1 above the ACF2 equivalent would be:

ACF
SET LID
INSERT XCFUSER NAME(XCF USER) DFLTGRP(supmvs) RESTRICT NON-CNCL
SET CONTROL(GSO)
INSERT STC.xcf STCID(XCFAS***) LOGONID(XCFUSER)
F ACF2,REFRESH(STC)

What the above commands do is to create a logonid XCFUSER that all started tasks that begin with XCFAS will be assigned. Since the logonid XCFUSER is NON-CNCL(ACF2 equivalent to RACF 'TRUSTED') the task XCFAS validations to datasets such as SYSPLX.UKNPLX01.XCF.CDS01 would be allowed.