Problem:

I am getting a violation with new HFS rules, even though the TEST command works.  The rule looks like this:

$KEY(/usr) TYPE($UM) 

/lpp/mqm UID(PROD) SERVICE(READ) ALLOW 

/lpp/mqm UID(OPER) SERVICE(READ) ALLOW 

- UID(*) PREVENT

Cause:

CA ACF2 resource rule processing considers the period character as a delimiter. This delimiter is used when writing extended resource rules, that is, to provide security for resource names of greater than forty characters. Path names, however, use the slash character as a delimiter. Before a file is validated, the path name will have all slash characters, with the exception of the first, translated into a period delimiter. Other special characters will be translated into the dollar sign ($). These include characters that are used as masking characters in resource rules. If not translated, these characters could create undesired results. The special characters include the period, asterisk, dash, plus, blank, and quote. An exit point is provided that can further modify any character to meet special needs, with the exception of the slash character, which will always be translated to a period delimiter.

Resolution:

So the rule should look like this:

$KEY(/usr) TYPE($UM) 

lpp.mqm UID(PROD) SERVICE(READ) ALLOW 

lpp.mqm UID(OPER) SERVICE(READ) ALLOW 

- UID(*) PREVENT