What is needed in ACF2 for IBM apar UA83944?

search cancel

What is needed in ACF2 for IBM apar UA83944?

book

Article ID: 14677

calendar_today

Updated On:

Products

ACF2 ACF2 - DB2 Option ACF2 for zVM ACF2 - z/OS ACF2 - MISC PanApt PanAudit

Issue/Introduction

With OA47269 & OA49446 applied, authority is checked for a PATH,
or AIX that is being defined. However, authority is not checked
for the base cluster. This can lead to authorization failues
once a base cluster is accessed via a PATH or AIX by a user or
application that has authority to the PATH & AIX, but not the
base cluster.

What is needed in ACF2 for IBM apar UA83944?

Environment

z/OS users at release HDZ1D10 or higher that have VSAM CLUSTERs with either Alternate Indexes (AIXs) or PATHs.

Resolution

The IBM fix introduced a new facility class STGADMIN.IGG.CATALOG.SECURIY.BOTH. Users having READ authority to STGADMIN.IGG.CATALOG.SECURIY.BOTH are required to have ALTER authority to both the CLUSTER and the PATH or AIX when defining a path or AIX. This ensures sufficient authority to both the CLUSTER and AIX or PATH on subsequent VSAM OPENs. Problem is resolved when PTFs are applied and READ authority is established to STGADMIN.IGG.CATALOG.SECURIY.BOTH for all users.

A sample ACF2 rule would look like this:

$KEY(STGADMIN) TYPE(FAC)
IGG.CATALOG.SECURIY.BOTH UID(-) SERVICE(READ) ALLOW

Additional Information

The link to the IBM information: http://www-01.ibm.com/support/docview.wss?uid=isg1OA50118

Feedback

thumb_up Yes

thumb_down No