Access to read a member in a PDS member level protected dataset should be denied, but is still being allowed. After verifying the dataset rules, resource rules, GSO records, and PTFs were correct and in place, access was still being allowed even though the rules should deny access. CAPDSSEC dataset rules were also verified and PDS member level protection was not being bypassed. An ACFRPTRV report shows that the PDS type resource rule is not being called.
Sample Dataset Rule:
- UID(********TESTUSR) READ(A) EXEC(A)
Sample Resource Rule:
Sample GSO record:
**** / PDS.TESTLIB LAST CHANGED BY ADMINUSR ON 04/19/21-12:50
LIBRARY(TESTDS.INFO.DATA) RSRCTYPE(PDS) VOLUME()
Following PTFs were in place:
An APAR was opened at IBM to ensure that the DESB is initialized before the DESERV exit is called for the first time. The APAR number is OA61235.
A problem was discovered with the input to the DESERV exit (CAS4DSRV). There are a number of control blocks that get picked up by the code and validated before any GETMAIN is issued to ensure that the environment appears correct. The input field DESP_AREA_PTR had a non-zero value which does not address a valid 'IGWDESB', so ACF2 was unable to handle the request properly. According to IBM documentation there should be a value in either DESP_AREA_PTR or DESP_AREAPTR_PTR addressing the DESB area. DESP_AREAPTR_PTR contained zeros. IBM confirmed the DESB is not initialized before the first call to the exit and that it is done afterwards, during the GET processing.