When editing an empty dataset, with ISPF, to which I have no access I appear to be able to open, edit and make updates but only when they attempt to save does the violation occur. Why doesn't the violation occur when getting into edit?

book

Article ID: 53263

calendar_today

Updated On:

Products

CA ACF2 CA ACF2 - DB2 Option CA ACF2 for zVM CA ACF2 - z/OS CA ACF2 - MISC CA PanApt CA PanAudit

Issue/Introduction

Description

A user who has no access to a dataset is able to edit an empty dataset or new PDS member and make updates, and gets a violation only when trying to save the dataset or member. Why doesn't the violation occur when getting into edit when the dataset is opened?

The violation is ACF99913 ACF2 VIOLATION-04,00,lid, vol, name, dsn, exit RC 04: Write access was attempted.
req 00: The DADSM OPEN issued the request.

Solution

When editing an empty dataset or PDS member, the access is not checked, when attempting to save, the violation can occur if the user does not have access.

When going into edit, IBM code detects that the sequential dataset is empty; it bypasses open for input because there is nothing to read; it presents the edit screen and the user data is entered into ISPF working storage; when saved, the dataset is opened for output and ACF2 validation occurs.

There is no security exposure. This is working as expected with an ISPF EDIT of an empty dataset or PDS member.

Details on ACF2 ACCESS rules can be found in the CA-ACF2 Security for z/OS Implementation Planning Guide r12, Chapter 2: System Access, Data, and Resource Access, section "Access Rules".

Environment

Release:
Component: ACF2MS