Resource FSA and zFS anomalies.

book

Article ID: 48615

calendar_today

Updated On:

Products

CA ACF2 CA ACF2 - DB2 Option CA ACF2 for zVM CA ACF2 - z/OS CA ACF2 - MISC CA PanApt CA PanAudit

Issue/Introduction

Description:

The following Rule works for one User ID but not another:


  RESOURCE RULE SYSZFS.- STORED BY SECADMIN ON 07/05/13-11:05     $KEY(SYSZFS.-) TYPE(FSA)     UID(*) SERVICE(UPDATE) ALLOW    

...the only difference, the User ID that works has 'NON-CNCL'. The Rule is designed to allow all Users access to zFS named 'SYSZFS.*'.

Informational PTF RI38633 states new Rules need to be RESIDENT in GSO and the REBUILD command is to be run after all Rule changes.

Solution:

The reason for this FSACCESS Resource Rule problem is the KEY was setup containing non-valid masking characters.

The ACF2 Administration Guide, Chapter 7, Section titled 'Using Masking in Resource Rules', sub-section '$KEY Masks' states:

You can use the asterisk (*) to mask the $KEY control statement value. However, you cannot use the dash (-) as a masking character in the $KEY value. When a dash occurs in the $KEY value, CA ACF2 treats it as a literal character for matching purposes. For example, a Resource name or qualifier of TEST.ABC-matches only TEST.ABC-.

If the Rule KEY contains $KEY(SYSZFS.-), the only Resource it will match is 'SYSZFS.-'. You can use '-' on the Rule line but not on the KEY.

The Rule could be changed to:


  $KEY(SYSZFS) TYPE(FSA)      - UID(*) SERVICE(UPDATE) ALLOW

Note the '-' before 'UID(*)', this will match all lower level qualifiers.

Environment

Release: ACF2..001AO-14-ACF2
Component: