search cancel

ACF2 Access to SAF resource IZUDFLT

book

Article ID: 240972

calendar_today

Updated On:

Products

ACF2 - z/OS ACF2 - MISC ACF2

Issue/Introduction

When trying to set up a user with appropriate access to SAF resources for z/OSMF the following error explanation is seen:

The requested user ID xxxxxxxx does not have access to the SAF resource IZUDFLT

How is the correct ACF2 access given to the SAF resource IZUDFLT?

Environment

Release : 16.0

Component : ACF2 for z/OS

Resolution

The easiest way to diagnose z/OSMF security violations in ACF2 is to set the TRACE bit on the logonid receiving the violation (this forces SMF records to be cut for ACF2 validations), re-create the error, and then run the ACFRPTRV report to view the violation. With the exact violation(s), resource rules can then be written to address the violation. 

To turn on the TRACE bit in TSO ACF:

SET LID
CHA logonid TRACE

Replace logonid with the user receiving the violation.
Note that the user will need to logoff and back on for the TRACE to take effect.

To turn off the TRACE after testing is completed:

SET LID
CHA logonid NOTRACE

Sample RV report JCL:
//REPORT  EXEC PGM=ACFRPTRV                        
//SYSPRINT DD SYSOUT=*                             
//HEXDUMP  DD SYSOUT=*                             
//* RECMAN1  DD DSN=IFASMF.STREAM,DISP=SHR,   
//*             SUBSYS=(LOGR,IFASEXIT)             
//RECMAN1  DD DISP=SHR,DSN=SYS1.MAN1               
//RECMAN2  DD DISP=SHR,DSN=SYS1.MAN2               
//RECMAN3  DD DISP=SHR,DSN=SYS1.MAN3               
//SYSIN    DD *                                    
TITLE(ACFRPTRV)