ACFRPTRV reports shows LOG when ACF2 rule is an ALLOW
search cancel

ACFRPTRV reports shows LOG when ACF2 rule is an ALLOW

book

Article ID: 244564

calendar_today

Updated On:

Products

ACF2 - z/OS

Issue/Introduction

Why the TEST command shows ALLOW rule is being used while ACFRPTRV report shows LOG as shown below?

Resource Rule: 

$KEY(PARKBURG) TYPE(SPL)
*-.OS-.- UID(*) SERVICE(READ) LOG
- UID(**STC***123) ALLOW
- UID(**STC) LOG
- UID(*) SERVICE(READ) LOG

Test Command:

SET RESOURCE(SPL)

 RESOURCE
TEST PARKBURG
 .  RSRCNAME(TEST.ABC.DEF.GHI.JKL.MNOP) UID(  STC    ABCD) NOPREFIX
 ACF71114 THE FOLLOWING PARAMETERS ARE IN EFFECT:
  DATE=06/23/22 TIME=0908 SOURCE=********  UID=  STC    123
  LID=         ROLE=

  TARGET RESOURCE: TEST.ABC.DEF.GHI.JKL.MNOP

  VALIDATED RULE LINE FROM TEST TYPE SPL
  - UID(**STC***123) ALLOW

  RESULT: ACCESS WOULD BE ALLOWED
  REASON: RESOURCE RULE

ACFRPTRV Report:

CA ACF2 - ACFRPTRV - GENERALIZED RESOURCE LOG -                 PAGE    1
DATE 06/23/22 (22.174) TIME 08.53 ACFRPTRV - LOG

    DATE     TIME        SOURCE   JNAME    LID      NAME                 DISP      REC SERV LOOKUP-KEY
PRE PST RMC INT FIN UID                       CPU  MODULE   KEY-MOD  DSP-MOD          REQUESTED RESOURCE
MLS     USER-SECLABEL RSRC-SECLABEL MODE   SRC     RRC      RSN

22.174 06/23 08.43       STCINRDR ABCD ABCD ABCD STC ID -P  RULE      LOG READ RSPL-TEST
  0   0   0   4   4   STC     STC    ABCD P1   ACF9CAUT DIRECTRY    -             RSPL-TEST
SAF RESOURCE CLASS JESSPOOL

RESOURCE NAME: TEST.ABC.DEF.GHI.JKL.MNOP

 


 

Environment

Release :

Component :

Resolution

The resource validation is being done from the more specific rule entry  -.OS-.- UID(*) SERVICE(READ) LOG as shown in blue below:                      

$KEY(PARKBURG) TYPE(SPL)
*-.OS-.- UID(*) SERVICE(READ) LOG
- UID(**STC***123) ALLOW
- UID(**STC) LOG
- UID(*) SERVICE(READ) LOG

Changing the test command by adding SERVICE(READ) shows the correct results. 

Powered by Wolken Software