ACF2 Troubleshooting Guide: Dataset/Resource unexpected violations or access allowed
search cancel

ACF2 Troubleshooting Guide: Dataset/Resource unexpected violations or access allowed

book

Article ID: 208225

calendar_today

Updated On:

Products

ACF2 ACF2 - z/OS ACF2 - MISC

Issue/Introduction

How to determine why dataset or resource violations in ACF2 are occurring that should be allowed or why access is being allowed and should be denied. 

Resolution

Table of Contents

If violations are occurring that should be allowed

  1. Issue a TSO, ACF, DECOMP of the rule that should allow access.
  2. Issue a TSO, ACF, LIST logonid of the logonid that is getting the violation.
  3. The ACFRPTDS(for dataset) or the ACFRPTRV(for resource) report should be ran against the SMF that was active at the time of the violation. The TRACE bit may need to be set on the logonid in order for the violation to show on the report.

If the access is being allowed and should be denied

  1. ‘a’ and ‘b’ above
  2. Add the ACF2 logonid Trace bit on the logonid that is being allowed access, from TSO, ACF, CHANGE logonid,TRACE
  3. The ACFRPTDS(for dataset) or the ACFRPTRV(for resource) report should be ran against the SMF that was active at the time of the access.
  4. Issue a TSO, ACF, SHOW STATE command to verify MODE(ABORT) and to CHECK RESVOLS(DSNAME PROTECTED VOLUMES) and SECVOLS(VOLSER PROTECTED VOLUMES).

How to set the TRACE bit

To turn on the TRACE in TSO ACF:

SET LID
CHA logonid TRACE

Replace logonid with the user receiving the violation. Note that the user will need to logoff and back on for the TRACE to take effect.

To turn off the TRACE after testing is completed:

SET LID
CHA logonid NOTRACE

Sample DS report JCL

//REPORT  EXEC PGM=ACFRPTDS                     
//SYSPRINT DD SYSOUT=*                          
//HEXDUMP  DD SYSOUT=*                          
//* RECMAN1  DD DSN=IFASMF.STREAM,DISP=SHR,
//*             SUBSYS=(LOGR,IFASEXIT)          
//RECMAN1  DD DISP=SHR,DSN=SYS1.MAN1            
//RECMAN2  DD DISP=SHR,DSN=SYS1.MAN2            
//RECMAN3  DD DISP=SHR,DSN=SYS1.MAN3            
//SYSIN    DD *                                 
TITLE(ACFRPTDS)                                 

Sample RV report JCL

//REPORT  EXEC PGM=ACFRPTRV                        
//SYSPRINT DD SYSOUT=*                             
//HEXDUMP  DD SYSOUT=*                             
//* RECMAN1  DD DSN=IFASMF.STREAM,DISP=SHR,   
//*             SUBSYS=(LOGR,IFASEXIT)             
//RECMAN1  DD DISP=SHR,DSN=SYS1.MAN1               
//RECMAN2  DD DISP=SHR,DSN=SYS1.MAN2               
//RECMAN3  DD DISP=SHR,DSN=SYS1.MAN3               
//SYSIN    DD *                                    
TITLE(ACFRPTRV)

Powered by Wolken Software