ACF2 Access rule denies access according to TEST command, but access is still allowed
Article ID: 237865
Updated On:
Products
Issue/Introduction
Two ACF2 users are trying to run the same job, but one user gets a failure and the other successfully runs. The issue is with dataset allocation. When checking the users access using the ISPF ACFTEST feature (TSO, ACF TEST subcommand), it says they should both fail. What is causing this discrepancy? The output of the ACFTEST shows:
------------- ACFTEST OUTPUT DISPLAY AREA --------------------
ACF71014 THE FOLLOWING PARAMETERS ARE IN EFFECT:
DDN=****** UID=**************TESTUSR1
LID=TESTUSR1
DATE=03/21/22 SOURCE=********
VOL= DSN=TEST.DATASET
PGM=****** LIB=***.***
TIME=***** ACCESS=ALLOC
VALIDATED RULE LINE FROM TEST
- UID(*) READ(A) WRITE(L) EXEC(A)
RESULT: DENY
REASON: $MODEAB =$MODE(ABORT) SPECIFIED IN ACCESS RULE
------------- ACFTEST OUTPUT DISPLAY AREA --------------------
ACF71014 THE FOLLOWING PARAMETERS ARE IN EFFECT:
DDN=****** UID=**************TESTUSR2
LID=TESTUSR2
DATE=03/21/22 SOURCE=********
VOL= DSN=TEST.DATASET
PGM=****** LIB=***.***
TIME=***** ACCESS=ALLOC
VALIDATED RULE LINE FROM TEST
- UID(*) READ(A) WRITE(L) EXEC(A)
RESULT: DENY
REASON: $MODEAB =$MODE(ABORT) SPECIFIED IN ACCESS RULE
Environment
Release : 16.0
Component : ACF2 for z/OS
Resolution
TESTUSR1 has SECURITY privileges and will bypass any rule writing that takes place, where TESTUSR2 does not have SECURITY privileges. A LIST of the logonid record will show the SECURITY bit is set and a DS report ran against the SMF active at the time of access will show the user was allowed and logged due to this privilege:
TESTUSR1 22.084 03/25 12.34 DATASET LOGGING SEC-OFF
JOB VOL=xxxxxx DDN= DSN=TEST.DATASET
STEP0010 VOL= PGM=pgmname LIB=SYS1.LINKLIB
JOBxxxxx ALLOC ALLOC NOACCESS NAM=USER, TEST ROL=
ISPF ACFTEST / the TEST subcommand will not show whether or not access is granted based on SECURITY, NON-CNCL, or user exit processing.
Feedback
