Can you provide sample ACF2 Compliance Information Analysis(CIA) CIARPT03 report input and output?
Article ID: 48237
Updated On:
Products
ACF2
ACF2 - DB2 Option
ACF2 for zVM
ACF2 - z/OS
ACF2 - MISC
PanApt
PanAudit
Issue/Introduction
The ACF2 Compliance Information Analysis(CIA) CIARPT03 report will show what rules allowed access to a dataset HLQ or a Resource HLQ or resource name, if the rule is coded with ROLE the report will show the role and logonids that belong to the role.
CIARPT03 Roles and Users by Resource
The ACF2 Compliance Information Analysis(CIA) CIARPT03 report will show what rules allowed access to a dataset HLQ or a Resource HLQ or resource name, if the rule is coded with ROLE the report will show the role and logonids that belong to the role.
The following example is run with input parameters specifying a HLQ Resource name of TEST, Resource class RFAC.
The Report shows that there are two resource rules that would match a RFAC resource with a HLQ of TEST, rule $KEY(********) and rule
$KEY(TEST.RESOURCE.ROLE).
ACF
SET RESOURCE(FAC)
LIST ********
$KEY(********) TYPE(FAC)
- UID(*) ALLOW
LIST TEST.RESOURCE.ROLE
$KEY(TEST.RESOURCE.ROLE) TYPE(FAC) ROLESET
ROLE(LIBERTY) SERVICE(READ) LOG
ACF
SET X(ROL)
LIST LIBERTY
SYS8 / LIBERTY LAST CHANGED BY USER002 ON 05/02/14-09:37
INCLUDE(USER002 TEST002 TEST003 TEST004 TEST099 TEST111
TEST222 TEST333) ROLE
Rule $KEY(********) is not a ROLESET rule so the report shows what logonids
are allowed access based on the Rule Entry. Since the rule entry is
'- UID(*)' the report shows 'All users match this UID mask.'.
Rule $KEY(TEST.RESOURCE.ROLE) is a ROLESET rule so the report shows that the
Role Liberty has access, and the report lists all logonids that belong to the
LIBERTY ROLE.
Sample JCL:
//CIARPT03 EXEC PGM=CIARPT03,REGION=0M
//STEPLIB DD DISP=SHR,DSN=SYS1.ACF2R15.CAX1LINK
// DD DISP=SHR,DSN=SYS1.EZT.CAILOAD
// DD DISP=SHR,DSN=SYS1.PANSQL.CAILIB
// DD DISP=SHR,DSN=SYS1.PRIVATE.SDSNEXIT
// DD DISP=SHR,DSN=SYS1.DB2910.SDSNLOAD
//EZTVFM DD UNIT=3390,SPACE=(CYL,(10,1))
//SYSPRINT DD SYSOUT=*
//RPTOUT DD SYSOUT=*
//CNTLCARD DD *
* Parameters go here
* Parameter Names must start in column 1
* Parameter Values must start in column 10
* Use an * in column 1 for comments, such as this one.
* Here are some sample parameters that could be used to
* run the report:
SYSID DE28
CLASS RFAC
RESOURCE TEST
PREFIX Y
SPECIAL N
USERIDS Y
USERNAME Y
VOLSER %
DATETIME Y
LINECNT 60
/*
Sample Report Output:
5/02/2014 12.45.14 Compliance Information Report Roles and Users by Resource
Input Parameters
----------------
SYSID = DE28
CLASS = RFAC
RESOURCE = TEST
PREFIX = Y
SPECIAL = N
USERIDS = Y
USERNAME = Y
VOLSER = %
DATETIME = Y
LINECNT = 60
CAS4141W VOLSER ignored because CLASS is not DATASET
Systems in the repository matching the requested SYSID:
Sysid Application Name Application Version Load Date
-------- ------------------------ ------------------------ ----------
DE28 CA ACF2 Release 15.0 2014-02-12
5/02/2014 12.45.14 Compliance Information Report Roles and Users by Resource
Compliance Information for System: DE28 Product: CA ACF2
Access Due to Policy
============================================================================
CLASS: RFAC $KEY: ********
LAST CHANGED BY: JACBE01 on 2007-07-26 at 11.03.20
----------------------------------------------------------------------------
RESMASK: ********.-
UID: ************************
ACCESS: ALL(ALLOW)
USERID(S) with access:
All users match this UID mask.
=============================================================================
CLASS: RFAC $KEY: TEST.RESOURCE.ROLE
LAST CHANGED BY: USER002 on 2014-05-01 at 14.49.05
-----------------------------------------------------------------------------
RESMASK: TEST.RESOURCE.ROLE
ROLE: LIBERTY
ACCESS: READ(LOG)
USERID(S) with access:
Userid Name Userid Name
-------- -------------------------------- -------- -----------------------
USER002 Tom Jones TEST002 ROB Best
TEST004 My TEST 4 TEST099 ROB BEST 99
TEST222 Jackie Smith TEST333 KATE MEL
TEST003 TEST ID 03 TEST111 TEST LOGONID 11
8 users match this ROLE.
Environment
Release: ACF2..001AO-15-ACF2
Component:
Component:
Resolution
CIARPT03 Roles and Users by Resource
The ACF2 Compliance Information Analysis(CIA) CIARPT03 report will show what rules allowed access to a dataset HLQ or a Resource HLQ or resource name, if the rule is coded with ROLE the report will show the role and logonids that belong to the role.
The following example is run with input parameters specifying a HLQ Resource name of TEST, Resource class RFAC.
The Report shows that there are two resource rules that would match a RFAC resource with a HLQ of TEST, rule $KEY(********) and rule
$KEY(TEST.RESOURCE.ROLE).
ACF
SET RESOURCE(FAC)
LIST ********
$KEY(********) TYPE(FAC)
- UID(*) ALLOW
LIST TEST.RESOURCE.ROLE
$KEY(TEST.RESOURCE.ROLE) TYPE(FAC) ROLESET
ROLE(LIBERTY) SERVICE(READ) LOG
ACF
SET X(ROL)
LIST LIBERTY
SYS8 / LIBERTY LAST CHANGED BY USER002 ON 05/02/14-09:37
INCLUDE(USER002 TEST002 TEST003 TEST004 TEST099 TEST111
TEST222 TEST333) ROLE
Rule $KEY(********) is not a ROLESET rule so the report shows what logonids
are allowed access based on the Rule Entry. Since the rule entry is
'- UID(*)' the report shows 'All users match this UID mask.'.
Rule $KEY(TEST.RESOURCE.ROLE) is a ROLESET rule so the report shows that the
Role Liberty has access, and the report lists all logonids that belong to the
LIBERTY ROLE.
Sample JCL:
//CIARPT03 EXEC PGM=CIARPT03,REGION=0M
//STEPLIB DD DISP=SHR,DSN=SYSX.ACF2.CAX1LINK
// DD DISP=SHR,DSN=SYSX.EZT.CAILOAD
// DD DISP=SHR,DSN=SYSX.PANSQL.CAILIB
// DD DISP=SHR,DSN=SYSX.PRIVATE.SDSNEXIT
// DD DISP=SHR,DSN=SYSX.DB2.SDSNLOAD
//EZTVFM DD UNIT=3390,SPACE=(CYL,(10,1))
//SYSPRINT DD SYSOUT=*
//RPTOUT DD SYSOUT=*
//CNTLCARD DD *
* Parameters go here
* Parameter Names must start in column 1
* Parameter Values must start in column 10
* Use an * in column 1 for comments, such as this one.
* Here are some sample parameters that could be used to
* run the report:
SYSID DE28
CLASS RFAC
RESOURCE TEST
PREFIX Y
SPECIAL N
USERIDS Y
USERNAME Y
VOLSER %
DATETIME Y
LINECNT 60
/*
Sample Report Output:
5/02/2014 12.45.14 Compliance Information Report Roles and Users by Resource
Input Parameters
----------------
SYSID = DE28
CLASS = RFAC
RESOURCE = TEST
PREFIX = Y
SPECIAL = N
USERIDS = Y
USERNAME = Y
VOLSER = %
DATETIME = Y
LINECNT = 60
CAS4141W VOLSER ignored because CLASS is not DATASET
Systems in the repository matching the requested SYSID:
Sysid Application Name Application Version Load Date
-------- ------------------------ ------------------------ ----------
DE28 CA ACF2 Release 15.0 2014-02-12
5/02/2014 12.45.14 Compliance Information Report Roles and Users by Resource
Compliance Information for System: DE28 Product: CA ACF2
Access Due to Policy
============================================================================
CLASS: RFAC $KEY: ********
LAST CHANGED BY: USER001 on 2007-07-26 at 11.03.20
----------------------------------------------------------------------------
RESMASK: ********.-
UID: ************************
ACCESS: ALL(ALLOW)
USERID(S) with access:
All users match this UID mask.
=============================================================================
CLASS: RFAC $KEY: TEST.RESOURCE.ROLE
LAST CHANGED BY: USER002 on 2014-05-01 at 14.49.05
-----------------------------------------------------------------------------
RESMASK: TEST.RESOURCE.ROLE
ROLE: LIBERTY
ACCESS: READ(LOG)
USERID(S) with access:
Userid Name Userid Name
-------- -------------------------------- -------- -----------------------
USER002 Tom Jones TEST002 ROB Best
TEST004 My TEST 4 TEST099 ROB BEST 99
TEST222 Jackie Smith TEST333 KATE MEL
TEST003 TEST ID 03 TEST111 TEST LOGONID 11
8 users match this ROLE.
Feedback
Yes
No
Powered by
