When trying to set up a user with appropriate access to SAF resources for z/OSMF the following error explanation is seen:
The requested user ID xxxxxxxx does not have access to the SAF resource IZUDFLT
How is the correct ACF2 access given to the SAF resource IZUDFLT?
Release : 16.0
Component : ACF2 for z/OS
The easiest way to diagnose z/OSMF security violations in ACF2 is to set the TRACE bit on the logonid receiving the violation (this forces SMF records to be cut for ACF2 validations), re-create the error, and then run the ACFRPTRV report to view the violation. With the exact violation(s), resource rules can then be written to address the violation.
To turn on the TRACE bit in TSO ACF:
SET LID
CHA logonid TRACE
Replace logonid with the user receiving the violation.
Note that the user will need to logoff and back on for the TRACE to take effect.
To turn off the TRACE after testing is completed:
SET LID
CHA logonid NOTRACE
Sample RV report JCL:
//REPORT EXEC PGM=ACFRPTRV
//SYSPRINT DD SYSOUT=*
//HEXDUMP DD SYSOUT=*
//* RECMAN1 DD DSN=IFASMF.STREAM,DISP=SHR,
//* SUBSYS=(LOGR,IFASEXIT)
//RECMAN1 DD DISP=SHR,DSN=SYS1.MAN1
//RECMAN2 DD DISP=SHR,DSN=SYS1.MAN2
//RECMAN3 DD DISP=SHR,DSN=SYS1.MAN3
//SYSIN DD *
TITLE(ACFRPTRV)