How to grant NON-CNCL for a limited time period

book

Article ID: 39856

calendar_today

Updated On:

Products

CA ACF2 CA ACF2 - DB2 Option CA ACF2 for zVM CA ACF2 - z/OS CA ACF2 - MISC CA PanApt CA PanAudit

Issue/Introduction


Question: 

How can I give a special privilege, like NON-CNCL, to a user for a short period of time? 

Answer: 

There is a PRIV-CTL attribute you can add to a user's lidrec, At signon it causes a series
of validations with the resource class of PRIVCTL and the resource names of the privileges/
attributes that can be "temporarily" assigned to the user. The in-storage copy of the user's
lidrec will then be updated with the privileges allowed by the rules. 

You would first have to define a CLASMAP record to map PRIVCTL to PRV---or some other 3
characters of your choice. If you want to give the user NON-CNCL for 5 days, the rule would
look similar to this: 

ACF
SET R(PRV)       <------new TYPE code defined in CLASMAP record
$KEY(NON-CNCL) TYPE(PRV)
UID(uid of user) FOR(5) ALLOW

where the FOR value is the number of days from the rule compile date. A value of 0 indicates
"today only".

If the user gains access to a resource because of the NON-CNCL privilege on his lidrec,
(whether it is permanent or temporary), ACF2 will generate a logging SMF record that would
show up in the ACFRPTDS or ACFRPTRV reports. If the user gains access to a resource because
a rule exists that gives him that access, no SMF record is generated---unless the rule specifies
LOG instead of ALLOW.

More information can be found in the CA ACF2 for z/OS Administration Guide, Chapter 2,
under the topic "Providing Dynamic Logonid Privileges". 

 

Environment

Release: ACF2..001AO-16-ACF2
Component: