I am trying to test TYPE(SER) rules with NEXTKEY for resource EZB.INITSTACK.Z99Y.XTCPIP ..... but they keep getting deny...what am I doing wrong?

book

Article ID: 36160

calendar_today

Updated On:

Products

CA ACF2 CA ACF2 - DB2 Option CA ACF2 for zVM CA ACF2 - z/OS CA ACF2 - MISC CA PanApt CA PanAudit

Issue/Introduction

Question:  

I am trying to test TYPE(SER) rules with NEXTKEY for resource TSS.INITSTACK.Z99Y.XTCPIP ..... but they keep getting deny...what am I doing wrong?

Answer: 

When testing TYPE(SER) resource rules, the F ACF2,REBUILD(SER) command

should be issued after creating and updating any TYPE(SER) rules. When

testing these rules care should be take when coding the TEST parameters

to avoide errors.

 

The TEST subcommand checks the test rule against the current rules in a 

directory; you might have to store the rule and rebuild the directory 

before testing to get accurate results for the test. After compiling or 

updating the TYPE(SER) rules, issue the F ACF2,REBUILD(SER) command to 

activate the rule.

 

Care should be taken when specifying the 'rsrcname' of the TEST Subcommand

Keyword. 'rsrcname' specifies a resource name for which access is tested. 

NOTE: CA ACF2 places the $KEY value before the RSRC value unless you specify the 

RSRC value in single quotes.

 

The following is a sample from showing two TYPE(SER) rules with NEXTKEYs

followed by two sample TEST commands.

 

ACF

SET RESOURCE(SER)

F ACF2,REBUILD(SER)

 

decomp INITSTAC

ACF75052 RESOURCE RULE INITSTAC STORED BY USER002 ON 01/11/16-15:18

$KEY(INITSTAC) TYPE(SER)

$PREFIX(EZB)

 INITSTACK.Z99Y.XTCPIP.- UID(*****x*y**z*7JQICVBWQA) SERVICE(READ) ALLOW

 INITSTACK.Z99Y.XTCPIP.- UID(*****x*y**z*7JQIGVBCXQD) SERVICE(READ) ALLOW

 INITSTACK.Z99Y.XTCPIP.- UID(*****x*y**z*0TS2) SERVICE(READ) ALLOW      

 INITSTACK.Z99Y.XTCPIP.- UID(*****x*y**z*7JQICVBWQA) SERVICE(READ) ALLOW

ACF75051 TOTAL RECORD LENGTH= 338 BYTES, 8 PERCENT UTILIZED

RESOURCE

 

decomp EZB

ACF75052 RESOURCE RULE EZB STORED BY USER002 ON 01/11/16-15:17

$KEY(EZB) TYPE(SER)

 BINDDVIPARANGE.- UID(*) NEXTKEY(DVIPA) PREVENT

 FTP.- UID(*) NEXTKEY(FTP) PREVENT

 INITSTACK.- UID(*) NEXTKEY(INITSTAC) PREVENT

 IPSECCMD.- UID(*) NEXTKEY(IPSECCMD) PREVENT

 NETACCESS.- UID(*) NEXTKEY(NETWORK) PREVENT

 NETSTAT.- UID(*) NEXTKEY(NETSTAT) PREVENT

 CVBWQA.- UID(*) NEXTKEY(CVBWQA) PREVENT

 PORTACCESS.- UID(*) NEXTKEY(PORT) PREVENT

 SNMCVBWQA.- UID(*) NEXTKEY(SNMPAGNT) PREVENT

 STACKACCESS.- UID(*) NEXTKEY(STACK) PREVENT

 TN3270.- UID(*) NEXTKEY(TN3270) PREVENT

ACF75051 TOTAL RECORD LENGTH= 602 BYTES, 14 PERCENT UTILIZED

RESOURCE

 

* TEST 1

 

test *

. rsrcname('EZB.INITSTACK.Z99Y.XTCPIP.test') UID(*****x*y**z*0TS2) SERVICE(READ)

 

ACF71114 THE FOLLOWING PARAMETERS ARE IN EFFECT: 

 DATE=01/11/16 TIME=1520 SOURCE=********  UID=*****x*y**z*0TS2             

 LID=         ROLE= 

 SERVICE=(READ)   

                  

 TARGET RESOURCE: RSER EZB.INITSTACK.Z99Y.XTCPIP

  

 NEXTKEY VALUES USED IN VALIDATION:

 NEXTKEY ELEMENTS: INITSTAC

   

 VALIDATED RULE LINE FROM INITSTAC TYPE SER

 INITSTACK.Z99Y.XTCPIP.- UID(*****x*y**z*0TS2) SERVICE(READ) ALLOW         

    

 RESULT: ACCESS WOULD BE ALLOWED

 REASON: RESOURCE RULE 

 

* TEST 2

 

test *

. rsrcname('EZB.INITSTACK.Z99Y.XTCPIP.test') UID(*****x*y**z*0TS2) SERVICE(READ)                                                                              

 

ACF71114 THE FOLLOWING PARAMETERS ARE IN EFFECT:                              

 DATE=01/11/16 TIME=1520 SOURCE=********  UID=*****x*y**z*0TS2                

 LID=         ROLE=                                                           

 SERVICE=(READ)                                                               

                                                                              

 TARGET RESOURCE: RSER EZB.INITSTACK.Z99Y.XTCPIP.TEST                         

                                                                              

 NEXTKEY VALUES USED IN VALIDATION:                                           

 NEXTKEY ELEMENTS: INITSTAC                                                   

                                                                              

 VALIDATED RULE LINE FROM INITSTAC TYPE SER                                   

 INITSTACK.Z99Y.XTCPIP.- UID(*****x*y**z*0TS2) SERVICE(READ) ALLOW            

                                                                              

 RESULT: ACCESS WOULD BE ALLOWED                                              

 REASON: RESOURCE RULE                       

 

Additional Information:

Details on the ACF TEST command can be found in the CA ACF2 for z/OS Administration Guide in Chapter 7: Maintaining Resource Rules, section 'Using the ACF Command', sub-section 'TEST Subcommand'.

Environment

Release:
Component: ACF2MS