While using the ACF2 TEST command to test access for a CFSKEYS resource, access shows the rule would deny access even though access is expected to be granted:
RESOURCE
TEST
. lid(USERLID) RSRCNAME('TEST.POC.KEY')
THE FOLLOWING PARAMETERS ARE IN EFFECT:
DATE=03/15/21 TIME=1604 SOURCE=******** UID=*****************USERLID
LID=USERLID ROLE=
TARGET RESOURCE: RCSF TEST.POC.KEY
NO RULE APPLIES IN RESOURCE RECORD TEST TYPE CSF
RESULT: ACCESS WOULD BE DENIED
REASON: KEY MODIFIED BY DIRECTORY
Resource rules for the CSFKEYS class must specify a new resource rule parameter of "WHEN(CRITERIA(SMS(DSENCRYPTION)))". This requirement also applies to testing these rules using the TEST command. Specifying WHEN(CRITERIA(SMS(DSENCRYPTION))) in the TEST parameters will show the accurate result.
RESOURCE
TEST
. lid(USERLID) RSRCNAME('TEST.POC.KEY') WHEN(CRITERIA(SMS(DSENCRYPTION)))
THE FOLLOWING PARAMETERS ARE IN EFFECT:
DATE=03/15/21 TIME=1604 SOURCE=******** UID=*****************USERLID
LID=USERLID ROLE=
WHEN=CRITERIA(SMS(DSENCRYPTION))
TARGET RESOURCE: RCSF TEST.POC.KEY
VALIDATED RULE LINE FROM TEST TYPE CSF
POC.KEY UID(*****************USERLID) ALLOW WHEN(CRITERIA(SMS(DSENCRYPTION)))
RESULT: ACCESS WOULD BE ALLOWED
REASON: RESOURCE RULE