How can ACF2 access allowed by a GSO MAINT record be tracked
Article ID: 258184
Updated On:
Products
Issue/Introduction
The GSO MAINT record allows sites to bypass rule validations for a specific environment based on the library, LID, and program match the GSO MAINT record and creates no SMF logging records. Disk compression and archiving are examples of standard system maintenance functions which would normally require special logonid privileges such as NON-CNCL or rules coded for any dataset that is accessed.
How can ACF2 access allowed by a GSO MAINT record be tracked?
Environment
ACF2 rel 16.0
z/OS
Resolution
The logonid MAINTTRC can be used to specify that an SMF record to be cut for all access that was allowed due to the access matching a MAINT environment. For example, the access matched a MAINT record and the userid had MAINT or NON-CNCL turned on. The MAINT-PGM flag in the ACFRPTDS report shows the access that was allowed due to a GSO MAINT record.
Example:
Logonid LDAPTASK has NON-CNCL which logs and allows full access to any data set or resources:
ACF
LIST LDAPTASK
LDAPTASK LDAPTASK LDAP SERVER 15.1
COMPANY() DEPT() IDNUM() LEVEL() LOCATION() OLDLID()
OWNER() OWNTYPE() POSITION() PROJECT() SITE()
PRIVILEGES MUSASS NO-SMC NON-CNCL
ACCESS ACC-CNT(149) ACC-DATE(01/19/23) ACC-SRCE(STCINRDR)
ACC-TIME(15:51)
PASSWORD KERB-VIO(0) KERBCURV() PSWA1TOD(04/07/21-07:25)
PSWA2TOD(00/00/00-00:00) PSWD-DAT(00/00/00) PSWD-EXP
PSWD-INV(0) PSWD-TOD(04/07/21-07:25) PSWD-VIO(0)
PSWDCVIO(0) PWP-DATE(00/00/00) PWP-VIO(0)
TSO DFT-PFX(LDAPTASK) DFT-PFX8(LDAPTASK)
STATISTICS CRE-TOD(04/07/21-07:25) SEC-VIO(0)
UPD-TOD(01/19/23-15:53)
MUSASS MUSUPDT
RESTRICTIONS GROUP(ENF) PREFIX(LDAPTASK)
When starting LDAPTASK, there are loggings for two datasets. The ACFRPTDS report shows access allowed because of NON-CNCL:
CA ACF2 - ACFRPTDS - DATASET ACCESS JOURNAL - PAGE 1
DATE 01/19/23 (23.019) TIME 15.54 ACFRPTDS
LDAPTASK 23.019 01/19 15.49 DATASET LOGGING NON-CANC
LDAPTASK VOL=VOLXXX DDN=SYS00005 DSN=TCPIP.STANDARD.TCPXLBIN
LDAPTASK VOL= PGM=BPXBATA8 LIB=SYS1.LINKLIB
STC06277 DA-OPN INPUT NOACCESS NAM=LDAP SERVER 15.1 ROL=
SYS8 SRC=STCINRDR UID= LDAPTASK
LDAPTASK 23.019 01/19 15.49 DATASET LOGGING NON-CANC
LDAPTASK VOL=VOLYYY DDN=MAPDB DSN=CACMGR.MAPDB.R151
LDAPTASK VOL= PGM=BPXBATA8 LIB=SYS1.LINKLIB
STC06277 DA-OPN INPUT NOACCESS NAM=LDAP SERVER 15.1 ROL=
SYS8 SRC=STCINRDR UID= LDAPTASK
To create a MAINT environment, a GSO MAINT record is created for logonid LDAPTASK with library and program:
ACF
INSERT MAINT.LDAP LIBRARY(SYS1.LINKLIB) LID(LDAPTASK) PGM(BPXBATA8)
F ACF2,REFRESH(MAINT)
Now when start LDAPTASK, there are no loggings for the two datasets in the ACFRPTDS report because of the MAINT environment defined by the GSO MAINT.
CA ACF2 - ACFRPTDS - DATASET ACCESS CROSS REFERENCE - PAGE 1
DATE 01/20/23 (23.020) TIME 07.49 ACFRPTDS
CAS2532I NO RECORDS MATCHED CRITERIA OR EMPTY SMF DATASET
Change Logonid LDAPTASK to add the MAINTTRC bit to create SMF records for dataset accesses that are allowed due to the MAINT environment:
ACF
CHANGE LDAPTASK MAINTTRC
LDAPTASK LDAPTASK LDAP SERVER 15.1
COMPANY() DEPT() IDNUM() LEVEL() LOCATION() OLDLID()
OWNER() OWNTYPE() POSITION() PROJECT() SITE()
CANCEL/SUSPEND MAINTTRC
PRIVILEGES MUSASS NO-SMC NON-CNCL
ACCESS ACC-CNT(149) ACC-DATE(01/19/23) ACC-SRCE(STCINRDR)
ACC-TIME(15:51)
PASSWORD KERB-VIO(0) KERBCURV() PSWA1TOD(04/07/21-07:25)
PSWA2TOD(00/00/00-00:00) PSWD-DAT(00/00/00) PSWD-EXP
PSWD-INV(0) PSWD-TOD(04/07/21-07:25) PSWD-VIO(0)
PSWDCVIO(0) PWP-DATE(00/00/00) PWP-VIO(0)
TSO DFT-PFX(LDAPTASK) DFT-PFX8(LDAPTASK)
STATISTICS CRE-TOD(04/07/21-07:25) SEC-VIO(0)
UPD-TOD(01/19/23-15:53)
MUSASS MUSUPDT
RESTRICTIONS GROUP(ENF) PREFIX(LDAPTASK)
Now when starting LDAPTASK, there are SMF trace records for two datasets, ACFRPTDS report shows access allowed because of MANT-PGM:
CA ACF2 - ACFRPTDS - DATASET ACCESS JOURNAL - PAGE 1
DATE 01/19/23 (23.019) TIME 15.54 ACFRPTDS
LDAPTASK 23.019 01/19 15.53 DATASET TRACE REQ MANT-PGM
LDAPTASK VOL=VOLXXX DDN=SYS00005 DSN=TCPIP.STANDARD.TCPXLBIN
LDAPTASK VOL= PGM=BPXBATA8 LIB=SYS1.LINKLIB
STC06282 DA-OPN INPUT MAINT NAM=LDAP SERVER 15.1 ROL=
SYS8 SRC=STCINRDR UID= LDAPTASK
LDAPTASK 23.019 01/19 15.53 DATASET TRACE REQ MANT-PGM
LDAPTASK VOL=VOLYYY DDN=MAPDB DSN=CACMGR.MAPDB.R151
LDAPTASK VOL= PGM=BPXBATA8 LIB=SYS1.LINKLIB
STC06282 DA-OPN INPUT MAINT NAM=LDAP SERVER 15.1 ROL=
SYS8 SRC=STCINRDR UID= LDAPTASK
Additional Information
For details on the logonid MAINTTRC field see ACF2 documentation section: 'Logonid Record Fields'.
Feedback
