GSO infodir record added for ACF2 CICS transaction validations but users not prevented acess
search cancel

GSO infodir record added for ACF2 CICS transaction validations but users not prevented acess

book

Article ID: 245932

calendar_today

Updated On:

Products

ACF2 - z/OS

Issue/Introduction

Changed CICS transaction rules to be globally resident instead of locally resident.

SET C(GSO)                       
CHA INFODIR TYPES(R-RCKC) ADD
F ACF2,REFRESH(INFODIR)
F ACF2,REBUILD(CKC)

validations were not preventing users from accessing the transactions.
Rules were written correctly. 

Environment

Release : 16.0

Component : ACF2 for z/OS

Cause

This problem was not resolved by resetting the cics session cache

Resolution

The process of resetting the session cache did not make any difference to the validation process not stopping access.

https://techdocs.broadcom.com/us/en/ca-mainframe-software/security/ca-acf2-for-z-os/16-0/implementing-cics-and-ims-environments/cics-support/the-master-terminal-transaction-acfm/acfm-function-summary/rc-resource-control.html

"The console must reload globally resident directories.
When globally resident rules are reloaded, run ACFM function RC, 
option RESET, to reset the cache. 
If the cache is not reset when rules change, users previously 
granted access to resources could gain access through the session 
cache, even though the new rules do not authorize access. "


It is possible that new users AND EXISTING USERS could be affected 
by rule changes depending on how the rules are maintained.
It is good practice to ALWAYS issue a reset whenever an
F ACF2,REBUILD(xxx) command is issued.   



The problem in this case was that the transactions were not validated because of the protlist and safelist.

There was a masked entry in safelist to cover everything except for a few entries in the protlist.

after making changes to protlist the relevant transactions were protected. 

https://techdocs.broadcom.com/us/en/ca-mainframe-software/security/ca-acf2-for-z-os/16-0/implementing-cics-and-ims-environments/cics-support/resource-validation.html