How can ACF2 access allowed by a GSO MAINT record be tracked
Article ID: 258184
Updated On:
Products
Issue/Introduction
The GSO MAINT record allows sites to bypass rule validations for a specific environment based on the library, LID, and program match the GSO MAINT record and creates no SMF logging records. Disk compression and archiving are examples of standard system maintenance functions which would normally require special logonid privileges such as NON-CNCL or rules coded for any dataset that is accessed.
How can ACF2 access allowed by a GSO MAINT record be tracked?
Environment
ACF2 rel 16.0
z/OS
Resolution
The logonid MAINTTRC can be used to specify that an SMF record to be cut for all access that was allowed due to the access matching a MAINT environment. For example, the access matched a MAINT record and the userid had MAINT or NON-CNCL turned on. The MAINT-PGM flag in the ACFRPTDS report shows the access that was allowed due to a GSO MAINT record.
Example:
Logonid LDAPSV15 has NON-CNCL which logs and allows full access to any data set or resources:
ACF
LIST LDAPSV15
LDAPSV15 LDAPSV15 LDAP SERVER 15.1
COMPANY() DEPT() IDNUM() LEVEL() LOCATION() OLDLID()
OWNER() OWNTYPE() POSITION() PROJECT() SITE()
PRIVILEGES MUSASS NO-SMC NON-CNCL
ACCESS ACC-CNT(149) ACC-DATE(01/19/23) ACC-SRCE(STCINRDR)
ACC-TIME(15:51)
PASSWORD KERB-VIO(0) KERBCURV() PSWA1TOD(04/07/21-07:25)
PSWA2TOD(00/00/00-00:00) PSWD-DAT(00/00/00) PSWD-EXP
PSWD-INV(0) PSWD-TOD(04/07/21-07:25) PSWD-VIO(0)
PSWDCVIO(0) PWP-DATE(00/00/00) PWP-VIO(0)
TSO DFT-PFX(LDAPR15) DFT-PFX8(LDAPSV15)
STATISTICS CRE-TOD(04/07/21-07:25) SEC-VIO(0)
UPD-TOD(01/19/23-15:53)
MUSASS MUSUPDT
RESTRICTIONS GROUP(ENF) PREFIX(LDAPSV15)
When starting LDAPSV15, there are loggings for two datasets. The ACFRPTDS report shows access allowed because of NON-CNCL:
CA ACF2 - ACFRPTDS - DATASET ACCESS JOURNAL - PAGE 1
DATE 01/19/23 (23.019) TIME 15.54 ACFRPTDS
LDAPSV15 23.019 01/19 15.49 DATASET LOGGING NON-CANC
LDAPSV15 VOL=MVZ25A DDN=SYS00005 DSN=TCPIP.STANDARD.TCPXLBIN
LDAPSV15 VOL= PGM=BPXBATA8 LIB=SYS1.LINKLIB
STC06277 DA-OPN INPUT NOACCESS NAM=LDAP SERVER 15.1 ROL=
SYS8 SRC=STCINRDR UID= LDAPSV15
LDAPSV15 23.019 01/19 15.49 DATASET LOGGING NON-CANC
LDAPSV15 VOL=TSOA28 DDN=MAPDB DSN=PROD8.CACMGR.MAPDB.R151
LDAPSV15 VOL= PGM=BPXBATA8 LIB=SYS1.LINKLIB
STC06277 DA-OPN INPUT NOACCESS NAM=LDAP SERVER 15.1 ROL=
SYS8 SRC=STCINRDR UID= LDAPSV15
To create a MAINT environment, a GSO MAINT record is created for logonid LDAPSV15 with library and program:
ACF
INSERT MAINT.LDAP LIBRARY(SYS1.LINKLIB) LID(LDAPSV15) PGM(BPXBATA8)
F ACF2,REFRESH(MAINT)
Now when start LDAPSV15, there are no loggings for the two datasets in the ACFRPTDS report because of the MAINT environment defined by the GSO MAINT.
CA ACF2 - ACFRPTDS - DATASET ACCESS CROSS REFERENCE - PAGE 1
DATE 01/20/23 (23.020) TIME 07.49 ACFRPTDS
CAS2532I NO RECORDS MATCHED CRITERIA OR EMPTY SMF DATASET
Change Logonid LDAPSV15 to add the MAINTTRC bit to create SMF records for dataset accesses that are allowed due to the MAINT environment:
ACF
CHANGE LDAPSV15 MAINTTRC
LDAPSV15 LDAPSV15 LDAP SERVER 15.1
COMPANY() DEPT() IDNUM() LEVEL() LOCATION() OLDLID()
OWNER() OWNTYPE() POSITION() PROJECT() SITE()
CANCEL/SUSPEND MAINTTRC
PRIVILEGES MUSASS NO-SMC NON-CNCL
ACCESS ACC-CNT(149) ACC-DATE(01/19/23) ACC-SRCE(STCINRDR)
ACC-TIME(15:51)
PASSWORD KERB-VIO(0) KERBCURV() PSWA1TOD(04/07/21-07:25)
PSWA2TOD(00/00/00-00:00) PSWD-DAT(00/00/00) PSWD-EXP
PSWD-INV(0) PSWD-TOD(04/07/21-07:25) PSWD-VIO(0)
PSWDCVIO(0) PWP-DATE(00/00/00) PWP-VIO(0)
TSO DFT-PFX(LDAPR15) DFT-PFX8(LDAPSV15)
STATISTICS CRE-TOD(04/07/21-07:25) SEC-VIO(0)
UPD-TOD(01/19/23-15:53)
MUSASS MUSUPDT
RESTRICTIONS GROUP(ENF) PREFIX(LDAPSV15)
Now when starting LDAPSV15, there are SMF trace records for two datasets, ACFRPTDS report shows access allowed because of MANT-PGM:
CA ACF2 - ACFRPTDS - DATASET ACCESS JOURNAL - PAGE 1
DATE 01/19/23 (23.019) TIME 15.54 ACFRPTDS
LDAPSV15 23.019 01/19 15.53 DATASET TRACE REQ MANT-PGM
LDAPSV15 VOL=MVZ25A DDN=SYS00005 DSN=TCPIP.STANDARD.TCPXLBIN
LDAPSV15 VOL= PGM=BPXBATA8 LIB=SYS1.LINKLIB
STC06282 DA-OPN INPUT MAINT NAM=LDAP SERVER 15.1 ROL=
SYS8 SRC=STCINRDR UID= LDAPSV15
LDAPSV15 23.019 01/19 15.53 DATASET TRACE REQ MANT-PGM
LDAPSV15 VOL=TSOA28 DDN=MAPDB DSN=PROD8.CACMGR.MAPDB.R151
LDAPSV15 VOL= PGM=BPXBATA8 LIB=SYS1.LINKLIB
STC06282 DA-OPN INPUT MAINT NAM=LDAP SERVER 15.1 ROL=
SYS8 SRC=STCINRDR UID= LDAPSV15
Additional Information
For details on the logonid MAINTTRC field see ACF2 documentation section: 'Logonid Record Fields'.
Feedback
