ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

ACF2 Access rule denies access according to TEST command, but access is still allowed

book

Article ID: 237865

calendar_today

Updated On:

Products

ACF2 - z/OS ACF2 ACF2 - MISC

Issue/Introduction

Two ACF2 users are trying to run the same job, but one user gets a failure and the other successfully runs. The issue is with dataset allocation. When checking the users access using the ISPF ACFTEST feature (TSO, ACF TEST subcommand), it says they should both fail. What is causing this discrepancy? The output of the ACFTEST shows:                                   

       ------------- ACFTEST OUTPUT DISPLAY AREA --------------------      

ACF71014 THE FOLLOWING PARAMETERS ARE IN EFFECT:    
 DDN=******     UID=**************TESTUSR1           
 LID=TESTUSR1                                       

 DATE=03/21/22  SOURCE=********                       
 VOL=           DSN=TEST.DATASET            
 PGM=******     LIB=***.***                           
 TIME=*****     ACCESS=ALLOC                          
                                                      
 VALIDATED RULE LINE FROM TEST                      
 - UID(*) READ(A) WRITE(L) EXEC(A)          
                                                      
 RESULT: DENY                                         
 REASON: $MODEAB =$MODE(ABORT) SPECIFIED IN ACCESS RULE


                                                                                                     
         ------------- ACFTEST OUTPUT DISPLAY AREA --------------------  
    
 ACF71014 THE FOLLOWING PARAMETERS ARE IN EFFECT:                             
  DDN=******     UID=**************TESTUSR2                                   
  LID=TESTUSR2                                                                

  DATE=03/21/22  SOURCE=********                            
  VOL=           DSN=TEST.DATASET                
  PGM=******     LIB=***.***                                
  TIME=*****     ACCESS=ALLOC                               
                                                            
  VALIDATED RULE LINE FROM TEST                           
  - UID(*) READ(A) WRITE(L) EXEC(A)               
                                                            
  RESULT: DENY                                              
  REASON: $MODEAB =$MODE(ABORT) SPECIFIED IN ACCESS RULE    

 

 

 

Environment

Release : 16.0

Component : ACF2 for z/OS

Resolution

TESTUSR1 has SECURITY privileges and will bypass any rule writing that takes place, where TESTUSR2 does not have SECURITY privileges. A LIST of the logonid record will show the SECURITY bit is set and a DS report ran against the SMF active at the time of access will show the user was allowed and logged due to this privilege:

TESTUSR1 22.084 03/25 12.34       DATASET  LOGGING   SEC-OFF
JOB VOL=xxxxxx DDN=         DSN=TEST.DATASET
STEP0010 VOL=       PGM=pgmname LIB=SYS1.LINKLIB
JOBxxxxx ALLOC  ALLOC   NOACCESS NAM=USER, TEST        ROL=

ISPF ACFTEST / the TEST subcommand will not show whether or not access is granted based on SECURITY, NON-CNCL, or user exit processing.