I am trying to test TYPE(SER) rules with NEXTKEY for resource EZB.INITSTACK.Z99Y.XTCPIP ..... but they keep getting deny...what am I doing wrong?
Article ID: 36160
Updated On:
Products
Issue/Introduction
I am trying to test TYPE(SER) rules with NEXTKEY for resource test.INITSTACK.xxx.TCPIP ..... but they keep getting deny...what am I doing wrong?
Environment
Component: ACF2MS
Cause
Resolution
When testing TYPE(SER) resource rules, the F ACF2,REBUILD(SER) command
should be issued after creating and updating any TYPE(SER) rules. When
testing these rules care should be take when coding the TEST parameters
to avoid errors.
The TEST subcommand checks the test rule against the current rules in a
directory; you might have to store the rule and rebuild the directory
before testing to get accurate results for the test. After compiling or
updating the TYPE(SER) rules, issue the F ACF2,REBUILD(SER) command to
activate the rule.
Care should be taken when specifying the 'rsrcname' of the TEST Subcommand
Keyword. 'rsrcname' specifies a resource name for which access is tested.
NOTE: CA ACF2 places the $KEY value before the RSRC value unless you specify the
RSRC value in single quotes.
The following is a sample from showing two TYPE(SER) rules with NEXTKEYs
followed by two sample TEST commands.
ACF
SET RESOURCE(SER)
F ACF2,REBUILD(SER)
decomp INITSTAC
ACF75052 RESOURCE RULE INITSTAC STORED BY USER001 ON 01/11/16-15:18
$KEY(test) TYPE(SER)
$PREFIX(EZB)
xxx.XTCPIP.- UID(uid of user1) SERVICE(READ) ALLOW
xxx.XTCPIP.- UID(uid of user2) SERVICE(READ) ALLOW
xxx.XTCPIP.- UID(uid of user 3) SERVICE(READ) ALLOW
ACF75051 TOTAL RECORD LENGTH= 338 BYTES, 8 PERCENT UTILIZED
RESOURCE
decomp EZB
ACF75052 RESOURCE RULE EZB STORED BY USER001 ON 01/11/16-15:17
$KEY(EZB) TYPE(SER)
BINDDVIPARANGE.- UID(*) NEXTKEY(DVIPA) PREVENT
FTP.- UID(*) NEXTKEY(FTP) PREVENT
INITSTACK.- UID(*) NEXTKEY(INITSTAC) PREVENT
IPSECCMD.- UID(*) NEXTKEY(IPSECCMD) PREVENT
NETACCESS.- UID(*) NEXTKEY(NETWORK) PREVENT
NETSTAT.- UID(*) NEXTKEY(NETSTAT) PREVENT
CVBWQA.- UID(*) NEXTKEY(CVBWQA) PREVENT
PORTACCESS.- UID(*) NEXTKEY(PORT) PREVENT
SNMCVBWQA.- UID(*) NEXTKEY(SNMPAGNT) PREVENT
STACKACCESS.- UID(*) NEXTKEY(STACK) PREVENT
TN3270.- UID(*) NEXTKEY(TN3270) PREVENT
ACF75051 TOTAL RECORD LENGTH= 602 BYTES, 14 PERCENT UTILIZED
RESOURCE
* TEST 1
test *
. rsrcname('EZB.INITSTACK.xxx.XTCPIP.test') UID(uid of user1) SERVICE(READ)
ACF71114 THE FOLLOWING PARAMETERS ARE IN EFFECT:
DATE=01/11/16 TIME=1520 SOURCE=******** UID=uid of user1
LID= ROLE=
SERVICE=(READ)
TARGET RESOURCE: RSER EZB.INITSTACK.xxx.XTCPIP
NEXTKEY VALUES USED IN VALIDATION:
NEXTKEY ELEMENTS: INITSTAC
VALIDATED RULE LINE FROM INITSTAC TYPE SER
INITSTACK.xxx.XTCPIP.- UID(uid if user2) SERVICE(READ) ALLOW
RESULT: ACCESS WOULD BE ALLOWED
REASON: RESOURCE RULE
* TEST 2
test *
. rsrcname('EZB.INITSTACK.xxx.XTCPIP.test') UID(uid of user3) SERVICE(READ)
ACF71114 THE FOLLOWING PARAMETERS ARE IN EFFECT:
DATE=01/11/16 TIME=1520 SOURCE=******** UID=uid of user3
LID= ROLE=
SERVICE=(READ)
TARGET RESOURCE: RSER EZB.INITSTACK.xxx.XTCPIP.TEST
NEXTKEY VALUES USED IN VALIDATION:
NEXTKEY ELEMENTS: INITSTAC
VALIDATED RULE LINE FROM INITSTAC TYPE SER
INITSTACK.xxx.XTCPIP.- UID(uid of user3) SERVICE(READ) ALLOW
RESULT: ACCESS WOULD BE ALLOWED
REASON: RESOURCE RULE
Additional Information
Details on the ACF TEST command can be found in the CA ACF2 for z/OS Administration Guide in Chapter 7: Maintaining Resource Rules, section 'Using the ACF Command', sub-section 'TEST Subcommand'.
Feedback
