ACF2 TEST command for CSFKEYS rules shows ACCESS WOULD BE DENIED

book

Article ID: 210655

calendar_today

Updated On:

Products

CA ACF2 CA ACF2 - MISC CA ACF2 - z/OS

Issue/Introduction

While using the ACF2 TEST command to test access for a CFSKEYS resource, access shows the rule would deny access even though access is expected to be granted:

RESOURCE                                                            
TEST                                                                  
.  lid(USERLID) RSRCNAME('TEST.POC.KEY')                               

THE FOLLOWING PARAMETERS ARE IN EFFECT:                             
DATE=03/15/21 TIME=1604 SOURCE=********  UID=*****************USERLID
LID=USERLID    ROLE=                                                 

TARGET RESOURCE: RCSF TEST.POC.KEY                                 

NO RULE APPLIES IN RESOURCE RECORD TEST TYPE CSF                    

RESULT: ACCESS WOULD BE DENIED                                     
REASON: KEY MODIFIED BY DIRECTORY 

Resolution

Resource rules for the CSFKEYS class must specify a new resource rule parameter of "WHEN(CRITERIA(SMS(DSENCRYPTION)))". This requirement also applies to testing these rules using the TEST command. Specifying WHEN(CRITERIA(SMS(DSENCRYPTION))) in the TEST parameters will show the accurate result.

RESOURCE                                                                       
TEST                                                                  
.  lid(USERLID) RSRCNAME('TEST.POC.KEY') WHEN(CRITERIA(SMS(DSENCRYPTION)))                             

THE FOLLOWING PARAMETERS ARE IN EFFECT:                             
DATE=03/15/21 TIME=1604 SOURCE=********  UID=*****************USERLID
LID=USERLID    ROLE=  
WHEN=CRITERIA(SMS(DSENCRYPTION))                                               

TARGET RESOURCE: RCSF TEST.POC.KEY  

VALIDATED RULE LINE FROM TEST TYPE CSF                                         
POC.KEY UID(*****************USERLID) ALLOW WHEN(CRITERIA(SMS(DSENCRYPTION)))            
                                                                                
RESULT: ACCESS WOULD BE ALLOWED                                               
REASON: RESOURCE RULE