With ACF2 rules for SDSF resources were written for ISFATTR , permission was denied but no logging to SMF
search cancel

With ACF2 rules for SDSF resources were written for ISFATTR , permission was denied but no logging to SMF

book

Article ID: 238866

calendar_today

Updated On:

Products

ACF2 - z/OS

Issue/Introduction

Resource rules for class SDSF  resources for Overtypeable Fields with key of ISFATTR
are failing but there are no loggings recorded in ACFRPTRV

Environment

Release : 16.0

Component : ACF2 for z/OS

Resolution

The racroute request=auth class=sdsf entity= ISFATTR.xxxxx.yyyy calls
are issued with log=nostat which prevents smf records from being written

A sectrace shows the following

 SMFID= DE28         TOD= 13:55:46.82    TRACEID= USER001       USERID= USER001  
 JOBNAME= USER001A    ASID= 005D          PGM= ISFMAIN        CURR RB= ISFMAIN 
 SFR/RFR= 0/0:0      MODE= TASK          APF= AUTHORIZED     LOCKS= NONE      
 SAFDEF= SDSF     GSO      MODE= GLOBAL                                       
                                                                              
 RACROUTE REQUEST=AUTH,REQSTOR='ISFUATTR',CLASS='SDSF',RELEASE=1.9,           
          STATUS=NONE,APPL='SDSF',ATTR=UPDATE,DSTYPE=N,DECOUPL=YES,           
          ENTITYX=('ISFATTR.JOB.PRTY'),FILESEQ=0,GENERIC=ASIS,                
          LOG=NOSTAT,MSGSP=0,MSGSUPP=YES,TAPELBL=STD,WORKA=                   

Additional Information

Note: Trace on a logonid will cause a logging of these requests

IBM documentation for racroute request=auth provides the following information

The 4 options available for LOG=  are

LOG=ASIS,
LOG=NOFAIL
LOG=NONE
LOG=NOSTAT 

ASIS
RACF records the event in the manner specified in the profile that protects the resource, or by other methods such as a SETROPTS option.
NOFAIL
If the authorization check fails, the attempt is not recorded. If the authorization check succeeds, the attempt is recorded as in ASIS

.Note: When SETROPTS PROTECTALL(WARNING) is in effect, the attempt is recorded as for ASIS.

NONE
The attempt is not recorded.

LOG=NONE suppresses both messages and SMF records regardless of MSGSUPP=NO and MSGRTRN.
NOSTAT
Like LOG=NONE, the attempt is not recorded and it suppresses both messages and SMF records regardless of the
MSGSUPP and MSGRTRN keyword values. It differs in that, even if resource statistic gathering had been requested, it would not occur.

Programs must be APF-authorized, system key 0–7, or in supervisor state to use the NOFAIL, NONE, and NOSTAT keywords.