search cancel

ACF2 z/OS 2.5 SDSF ISF024I error with external SDSF Security

book

Article ID: 256873

calendar_today

Updated On:

Products

ACF2

Issue/Introduction

After upgrading to z/OS 2.5 and implementing external security with ACF2, users are getting ISF024I USER USER001 NOT AUTHORIZED TO SDSF, NO GROUP ASSIGNMENT when entering SDSF.

 

 

Environment

ACF2 Release : 16.0
z/OS Release : 2.5

Resolution

A user must be assigned to a group in order to use SDSF. Users can display the name of the group to which they belong with the WHO command. A resource check for CLASS(SDSF) resource GROUP.group-name.server-name is made for each GROUP defined in SYS1.PARMLIB ISFPRMxx, syntax GROUP NAME(ISFSPROG).

When a user tries to access SDSF but is not assigned to any group, SDSF issues message ISF024I.

ISF024I USER USER001 NOT AUTHORIZED TO SDSF, NO GROUP ASSIGNMENT 

For example if SYS1.PARMLIB ISFPRMxx defines the three groups:

GROUP NAME(ISFSPROG)
GROUP NAME(ISFOPER)
GROUP NAME(ISFUSER)      

The ACFRPTRV report shows resource validations are done for the three defined groups ISFSPROG, ISFOPER and ISFUSER in ISFPRMxx and logonid USER001 does not have access(*VIO) to any of the groups:

RSDF-GROUP.ISFSPROG.SDSF                        *VIO  RSDF-********             
0219         USER001     A28LO902 SYS8 ACF9CFAT NO-RULE     -     DIRECTRY READ 
22.362 12/28 09.51    USER001  USER001  MICHAEL                0   0  20   0  16
SAF RESOURCE CLASS SDSF                                                         
                                                                                
RESOURCE NAME: GROUP.ISFSPROG.SDSF
                     
RSDF-GROUP.ISFOPER.SDSF                         *VIO  RSDF-********             
0219         USER001     A28LO902 SYS8 ACF9CFAT NO-RULE     -     DIRECTRY READ 
22.362 12/28 09.51    USER001  USER001  MICHAEL                0   0  20   0  16
SAF RESOURCE CLASS SDSF                                                         
                                                                                
RESOURCE NAME: GROUP.ISFOPER.SDSF     

RSDF-GROUP.ISFUSER.SDSF                         *VIO  RSDF-********             
0219         USER001     A28LO902 SYS8 ACF9CFAT NO-RULE     -     DIRECTRY READ 
22.362 12/28 09.51    USER001  USER001  MICHAEL                0   0  20   0  16
SAF RESOURCE CLASS SDSF                                                         
                                                                                
RESOURCE NAME: GROUP.ISFUSER.SDSF            

                                                                 
USER001 enters 'SDSF' and gets ISF024I message:
           
ISF024I USER USER001 NOT AUTHORIZED TO SDSF, NO GROUP ASSIGNMENT 

Access is given to USER001 by adding the following rule.

ACF
SET RESOURCE(SDF)
RECKEY GROUP ADD(ISFUSER.SDSF USER(USER001) ALLOW)

$KEY(GROUP) TYPE(SDF) ROLESET          
 ISFUSER.SDSF USER(USER001) ALLOW 
     
Now USER001 enters 'SDSF' and issues the 'WHO' command:

SDSF MENU V2R5M0    MINIPLEX  SYS8                     LINE 1-40 (73)         
COMMAND INPUT ===>                                            SCROLL ===> PAGE
USERID=USER001,PROC=PROC333,TERMINAL=A33LO333,GRPINDEX=3,GRPNAME=ISFUSER,     
SECLABEL=,MVS=z/OS 02.05.00,JES=z/OS 2.5,SDSF=HQX77D0,ISPF=N/A,               
RMF/DA=HSF/NORMF,SERVER=YES,SERVERNAME=SDSF,JESNAME=JES2,MEMBER=SYS8,         
JESTYPE=JES2,SYSNAME=SYS8,SYSPLEX=MINIPLEX,COMM=NOTAVAIL,COMMX=ENABLED,       
JOBID=TSU03333,XCFGROUP=MVSSYS8,SESSID=5,NUMSESS=1       

Now the ACFRPTRV report shows violations for the first two groups ISFSPROG, ISFOPER and access allowed to group ISFUSER:

RSDF-GROUP.ISFSPROG.SDSF                        *VIO  RSDF-********             
0219         USER001     A28LO902 SYS8 ACF9CFAT NO-RULE     -     DIRECTRY READ 
22.362 12/28 10.07    USER001  USER001  MICHAEL                0   0  20   0  16
SAF RESOURCE CLASS SDSF                                                         
                                                                                
RESOURCE NAME: GROUP.ISFSPROG.SDSF                              

RSDF-GROUP.ISFOPER.SDSF                         *VIO  RSDF-********             
0219         USER001     A28LO902 SYS8 ACF9CFAT NO-RULE     -     DIRECTRY READ 
22.362 12/28 10.07    USER001  USER001  MICHAEL                0   0  20   0  16
SAF RESOURCE CLASS SDSF                                                         
                                                                                
RESOURCE NAME: GROUP.ISFOPER.SDSF     

RSDF-GROUP.ISFUSER.SDSF                          TRC  RSDF-GROUP                
0219         USER001     A28LO902 SYS8 ACF9CFAT RULE        -     DIRECTRY READ 
22.362 12/28 10.07    USER001  USER001  MICHAEL                0   0   0   0   0
SAF RESOURCE CLASS SDSF                                                         
                                                                                
RESOURCE NAME: GROUP.ISFUSER.SDSF          

So even with z/OS 2.5 SDSF external security users need to be allowed access to at least on of the groups defined in SYS1.PARMLIB ISFPRMxx member, however SDSF access will be determined by rules and not the SDSF groups with internal SDSF security.