Someone changed an ACF2 'rule' to cause the following errors, a rule line was added to resolve this access.
What audit report should be run to find the culprit?
00A0000 MXC 22343 06:48:15.45 STC27283 00000281 ACF04056 ACCESS TO RESOURCE AAAAAAAA.BBBBBBBB.CCCCCCCC.STC27283.D0000123
TYPE RSPL BY USER123 NOT AUTHORIZED
Release : 16.0
To review who changed the rule you should run ACFRPTEL.
If the rule had not been changed back to its original content, there would be an identifier of the user who made the change and the date/time it was done.
As the rule was changed to resolve the problem, the time of the rule change is not known.
Run a report against SMF data from the time that the rule was changed back..
If a new ruleset was needed to be created, run the report from the last known time of a valid rule validation.
ACFRPTEL would be a useful report to run.
//STEP2 EXEC PGM=ACFRPTEL,REGION=0M
//RECMAN1 DD DSN=SYS1.MAN1,DISP=SHR
//RECMAN2 DD DSN=SYS1.MAN2,DISP=SHR
//RECMAN3 DD DSN=SYS1.MAN3,DISP=SHR
//SYSPRINT DD SYSOUT=*
//HEXDUMP DD SYSOUT=*
//SYSIN DD *