Fully masked $KEY ACF2 resource rule used instead of a resource rule in extended format
search cancel

Fully masked $KEY ACF2 resource rule used instead of a resource rule in extended format

book

Article ID: 44399

calendar_today

Updated On:

Products

ACF2 ACF2 - DB2 Option ACF2 - z/OS ACF2 - MISC

Issue/Introduction

There are ACF2 rules for a resource that was in extended format but that rule was not used; a $KEY masked rule was used instead. Why?

Environment

Release:
Component: ACF2MS

Resolution

If the resource name being validated is 40 characters or fewer, CA ACF2 first searches for the generalized resource rule whose $KEY value most specifically matches the full resource name of the resource being validated. When CA ACF2 finds a rule that matches (directly or with masking) the full resource name, it uses that rule for the validation. When no generalized resource rule key matches the full resource name and the resource name is a qualified resource name, CA ACF2 searches for the resource rule whose $KEY most specifically matches the first qualifier of the resource name. When it finds a rule that matches (directly or with masking) the first qualifier, it uses that rule for the validation. See the following example.                                    

Resource name: TEST.TESTNAME2                                                                

Sample resource rules:                                                        

$KEY(**************) TYPE(ttt)    full key match                              
 UID(...) ALLOW                                                               

$KEY(TEST) TYPE(ttt)              qualifier match                             
 TESTNAME2 UID(...) ALLOW        

ACF2 Resource Validation Process:

  1. Check for a resource rule TYPE(ttt) $KEY that matches the entire resource name TEST.RESOURCE, if found use that rule for validation.

  2. If a resource rule TYPE(ttt) $KEY that matches the entire resource name is not found, take the HLQ of the resource name and check for a resource rule TYPE(ttt) that matches the HLQ.                                        

Example 1 Resource being validated: TEST.RESOURCE

  1. Check for a resource rule TYPE(ttt) $KEY that matches the entire resource name, since the mask ************** matches, the $KEY(**************) will be used.

Example 2 Resource being validated: TEST.RESOURCE.LEN19

  1. Check for a resource rule TYPE(ttt) $KEY that matches the entire resource name, since the mask ************** contains 14 '*' and the resource  TEST.RESOURCE.LEN19 is 19 characters in length there is no TYPE(ttt) resource rule with a $KEY that matches the entire resource name TEST.RESOURCE.LEN19.

  2. Take the HLQ TEST of the resource TEST.RESOURCE.LEN19 and check for a resource rule TYPE(ttt) $KEY that matches TEST, the $KEY(TEST) which matches will be used.

Note: If you use a fully masked resource rule $KEY value as a catch-all rule, and you also use resource rules with qualifier $KEY values, remember that CA ACF2 searches first for the generalized resource rule whose $KEY value matches the full resource name of the resource being validated. If CA ACF2 finds a rule that matches (directly or with masking) the full resource name, it uses that rule for the validation and does not search for a match using the first qualifier of the resource name. In the previous example, if both resource rules exist, CA ACF2 will find and use the fully masked resource rule with $KEY(**************), and will not use the resource rule with the  qualifier $KEY(TEST).  

Powered by Wolken Software