Can the Library Name option of the ACF GSO MAINT record be masked?
search cancel

Can the Library Name option of the ACF GSO MAINT record be masked?

book

Article ID: 26446

calendar_today

Updated On:

Products

ACF2 ACF2 - DB2 Option ACF2 for zVM ACF2 - z/OS ACF2 - MISC PanApt PanAudit

Issue/Introduction

Question:  

How to specify more then one library in the CA ACF2 GSO Maint Record?

 

Answer:  

The CA ACF2 GSO Maint Record describes a maintenance environment that can bypass security validations if the environment is exactly as described. It does not allow masking for any of the options. These Options are: LIBRARY, LOGONID AND PROGRAM. The reason for this limitation is that the GSO MAINT record is a very powerful option that allows the matched environment to access all datasets with no journaling or denial of access.

Lets take a look at an example:

Lets say that you have a business need to allow a program called IEBGENER to read any datasets when the program is found in SYS1.LINKLIB. Lets also say that a logonid called SYSPROG is the user who needs to access this data. Basically what happens in this environment is that the SYSPROG will be allowed to read ANY dataset as long as the environment for the dataset open uses a program called IEBGENER and that program resides in SYS1.LINKLIB. If the SYSPROG logonid uses a different program or library then normal acf2 rule validation will take precedence and the user could be denied if they do not have the appropriate access.

The following is an example of how you would setup this GSO Maint Record:

    acf 
    set control(gso) 
    insert maint.xxx LIBRARY(SYS1.LINKLIB) LID(SYSPROG) -  PGM(IEBGENER)

Note: The xxx in the setting of the maint record is called a suffix. This is a value of your choosing and is not used in the validation.

Setting up a MAINT environment also requires that the logonid have the MAINT bit. So the following is an example showing the setting of the MAINT bit in the SYSPROG Logonid.

    acf 
    set logonid 
    CHANGE SYSPROG MAINT

As you can see from the above explanation, the MAINT record is a very powerful global record. The design of this GSO record does not allow masking so as to avoid the inadvertent masking of the MAINT Record options.

If you need to use additional libraries then you need to insert additional GSO MAINT Records. If you need additional programs, then you can specify up to 255 programs in the GSO MAINT record.

 

Environment

Release:
Component: ACF2MS

Resolution

-

Powered by Wolken Software