search cancel

How can ACF2 access allowed by a GSO MAINT record be tracked

book

Article ID: 258184

calendar_today

Updated On:

Products

ACF2 ACF2 - MISC ACF2 - z/OS

Issue/Introduction

The GSO MAINT record  allows sites to bypass rule validations for a specific environment based on the library, LID, and program match the GSO MAINT record and creates no SMF logging records. Disk compression and archiving are examples of standard system maintenance functions which would normally require special logonid privileges such as NON-CNCL or rules coded for any dataset that is accessed.

How can ACF2 access allowed by a GSO MAINT record be tracked?

Environment

ACF2 rel 16.0

z/OS

Resolution

The logonid MAINTTRC can be used to specify that an SMF record to be cut for all access that was allowed due to the access matching a MAINT environment. For example, the access matched a MAINT record and the userid had MAINT or NON-CNCL turned on. The MAINT-PGM flag in the ACFRPTDS report shows the access that was allowed due to a GSO MAINT record.

Example:

Logonid LDAPSV15 has NON-CNCL which logs and allows full access to any data set or resources:

ACF
LIST LDAPSV15
  LDAPSV15                          LDAPSV15 LDAP SERVER 15.1              
                       COMPANY() DEPT() IDNUM() LEVEL() LOCATION() OLDLID()  
                       OWNER() OWNTYPE() POSITION() PROJECT() SITE()         
  PRIVILEGES           MUSASS NO-SMC NON-CNCL                                
  ACCESS               ACC-CNT(149) ACC-DATE(01/19/23) ACC-SRCE(STCINRDR)    
                       ACC-TIME(15:51)                                       
  PASSWORD             KERB-VIO(0) KERBCURV() PSWA1TOD(04/07/21-07:25)       
                       PSWA2TOD(00/00/00-00:00) PSWD-DAT(00/00/00) PSWD-EXP  
                       PSWD-INV(0) PSWD-TOD(04/07/21-07:25) PSWD-VIO(0)      
                       PSWDCVIO(0) PWP-DATE(00/00/00) PWP-VIO(0)             
  TSO                  DFT-PFX(LDAPR15) DFT-PFX8(LDAPSV15)                   
  STATISTICS           CRE-TOD(04/07/21-07:25) SEC-VIO(0)                    
                       UPD-TOD(01/19/23-15:53)                               
  MUSASS               MUSUPDT                                               
  RESTRICTIONS         GROUP(ENF) PREFIX(LDAPSV15)   

When starting LDAPSV15, there are loggings for two datasets. The ACFRPTDS report shows access allowed because of NON-CNCL:

CA ACF2 - ACFRPTDS - DATASET ACCESS JOURNAL         -                 PAGE    1 
DATE 01/19/23 (23.019) TIME 15.54 ACFRPTDS    

LDAPSV15 23.019 01/19 15.49       DATASET  LOGGING   NON-CANC    
LDAPSV15 VOL=MVZ25A DDN=SYS00005 DSN=TCPIP.STANDARD.TCPXLBIN     
LDAPSV15 VOL=       PGM=BPXBATA8 LIB=SYS1.LINKLIB                
STC06277 DA-OPN INPUT   NOACCESS NAM=LDAP SERVER 15.1     ROL=   
SYS8     SRC=STCINRDR            UID=             LDAPSV15       
                                                                 
LDAPSV15 23.019 01/19 15.49       DATASET  LOGGING   NON-CANC    
LDAPSV15 VOL=TSOA28 DDN=MAPDB    DSN=PROD8.CACMGR.MAPDB.R151     
LDAPSV15 VOL=       PGM=BPXBATA8 LIB=SYS1.LINKLIB                
STC06277 DA-OPN INPUT   NOACCESS NAM=LDAP SERVER 15.1     ROL=   
SYS8     SRC=STCINRDR            UID=             LDAPSV15       

To create a MAINT environment, a GSO MAINT record is created for logonid LDAPSV15 with library and program:

ACF
INSERT MAINT.LDAP LIBRARY(SYS1.LINKLIB) LID(LDAPSV15) PGM(BPXBATA8
F ACF2,REFRESH(MAINT)

Now when start LDAPSV15, there are no loggings for the two datasets in the ACFRPTDS report because of the MAINT environment defined by the GSO MAINT.

CA ACF2 - ACFRPTDS - DATASET ACCESS CROSS REFERENCE -                 PAGE    1 
DATE 01/20/23 (23.020) TIME 07.49 ACFRPTDS                                      

CAS2532I NO RECORDS MATCHED CRITERIA OR EMPTY SMF DATASET  

Change Logonid LDAPSV15 to add the MAINTTRC bit to create SMF records for dataset accesses that are allowed due to the MAINT environment:

ACF
CHANGE LDAPSV15 MAINTTRC                                                     
  LDAPSV15                          LDAPSV15 LDAP SERVER 15.1                
                       COMPANY() DEPT() IDNUM() LEVEL() LOCATION() OLDLID()  
                       OWNER() OWNTYPE() POSITION() PROJECT() SITE()         
  CANCEL/SUSPEND       MAINTTRC                                              
  PRIVILEGES           MUSASS NO-SMC NON-CNCL                                
  ACCESS               ACC-CNT(149) ACC-DATE(01/19/23) ACC-SRCE(STCINRDR)    
                       ACC-TIME(15:51)                                       
  PASSWORD             KERB-VIO(0) KERBCURV() PSWA1TOD(04/07/21-07:25)       
                       PSWA2TOD(00/00/00-00:00) PSWD-DAT(00/00/00) PSWD-EXP  
                       PSWD-INV(0) PSWD-TOD(04/07/21-07:25) PSWD-VIO(0)      
                       PSWDCVIO(0) PWP-DATE(00/00/00) PWP-VIO(0)             
  TSO                  DFT-PFX(LDAPR15) DFT-PFX8(LDAPSV15)                   
  STATISTICS           CRE-TOD(04/07/21-07:25) SEC-VIO(0)                    
                       UPD-TOD(01/19/23-15:53)                               
  MUSASS               MUSUPDT                                               
  RESTRICTIONS         GROUP(ENF) PREFIX(LDAPSV15)        

Now when starting LDAPSV15, there are SMF trace records for two datasets, ACFRPTDS report shows access allowed because of MANT-PGM:

CA ACF2 - ACFRPTDS - DATASET ACCESS JOURNAL         -                 PAGE    1 
DATE 01/19/23 (23.019) TIME 15.54 ACFRPTDS    

LDAPSV15 23.019 01/19 15.53       DATASET  TRACE REQ          MANT-PGM     
LDAPSV15 VOL=MVZ25A DDN=SYS00005 DSN=TCPIP.STANDARD.TCPXLBIN               
LDAPSV15 VOL=       PGM=BPXBATA8 LIB=SYS1.LINKLIB                          
STC06282 DA-OPN INPUT   MAINT    NAM=LDAP SERVER 15.1     ROL=             
SYS8     SRC=STCINRDR            UID=             LDAPSV15                 
                                                                           
LDAPSV15 23.019 01/19 15.53       DATASET  TRACE REQ          MANT-PGM     
LDAPSV15 VOL=TSOA28 DDN=MAPDB    DSN=PROD8.CACMGR.MAPDB.R151               
LDAPSV15 VOL=       PGM=BPXBATA8 LIB=SYS1.LINKLIB                          
STC06282 DA-OPN INPUT   MAINT    NAM=LDAP SERVER 15.1     ROL=             
SYS8     SRC=STCINRDR            UID=             LDAPSV15             

Additional Information

For details on the logonid MAINTTRC field see ACF2 documentation section: 'Logonid Record Fields'.