ACFRPTXR output versus ACCESS Subcommand difference with ACF2 NEXTKEY Rules
Article ID: 203801
Updated On:
Products
Issue/Introduction
The ACFRPTXR report doesn't stop processing a ruleset when it hits a UID(*) PREVENT rule line that might be in place to either force everyone into a NEXTKEY rule or stop further checking of rule lines in the ruleset and deny access. The ACCESS command provides similar information but accurately stops at the UID(*) PREVENT rules. Is there a reason for this difference in the ACFRPTXR output? Is there an option that can be specified to make it behave more like the ACCESS command?
Environment
Release : 16.0
Component : CA ACF2 for z/OS
Resolution
The ACFRPTXR report and ACCESS subcommand produce similar results when run with specific parameters. Note that the ACFRPTXR report produces section 'LOGONIDS THAT HAVE ACCESS WITHOUT RULES' which when removed/ignored results in very similar output.
For example with the following rule with NEXTKEY:
$KEY(NEXTBASE)
AA.- UID(*) NEXTKEY(NEXT0001)
AB.- UID(*) NEXTKEY(NEXT0002)
AC.- UID(*) NEXTKEY(NEXT0003)
AD.- UID(*) NEXTKEY(NEXT0004)
AE.- UID(*) NEXTKEY(NEXT0005)
TEST.- UID(*) NEXTKEY(NEXT2KEY)
TEST2.- UID(*) NEXTKEY(NEXT3KEY)
$KEY(NEXT2KEY)
$PREFIX(TESTNXKY.TEST2)
CMGRALRT.- UID(uid of cmgralrt) READ(A) WRITE(A) EXEC(A)
CMGRDMRT.- UID(uid of smgrdmrt) READ(A) WRITE(A) EXEC(A)
CMGRDMRT.- UID(uid of cmgrdmrt) READ(A) WRITE(A) EXEC(A)
CMGRLOGR.- UID(uid of cmgrlogr) READ(A) WRITE(A) EXEC(A)
CMGRMON.- UID(uid of cmgrmon) READ(A) WRITE(A) EXEC(A)
Running the ACFRPTXR report for dataset NEXTBASE.TEST.CMGRDMRT with the following JCL and parameters:
//SYSPRINT DD SYSOUT=*
//SYSUT1 DD UNIT=SYSDA,SPACE=(CYL,(100,100)) DCB=BUFNO=30
//SYSUT2 DD UNIT=SYSDA,SPACE=(CYL,(500,500)),DCB=BUFNO=30
//SYSDSLST DD *,DCB=BLKSIZE=80
SYS1.LINKLIB
//SYSIN DD *
ACF2
NOLID
DSET
DSN(NEXTBASE.TEST.CMGRDMRT)
NEXTKEY
NORRSUM
//*
The report output with the section 'LOGONIDS THAT HAVE ACCESS WITHOUT RULES' removed:
ACF64001 USER REQUESTING REPORT - USER002 - USER001 USER002
OUTPUT LIMITED TO ACF2 RECORDS WITHIN YOUR AUTHORITY AND SCOPE.
AUTHORITY: ACCOUNT AUDIT CMD-PROP SECURITY USER
SCOPE: UID(-) DSN(-) LID(-) SCPLIST(-)
********************************************************************************
--------------------------------------------------------------------------------
DATASET: NEXTBASE.TEST.CMGRDMRT
RULE KEY: NEXTBASE
STORED: 11/20/20-12:26 BY: USER002
TEST.- UID(*) NEXTKEY(NEXT2KEY)
ALL LOGONIDS MATCH SPECIFIED UID STRING
--------------------------------------------------------------------------------
RULE KEY: NEXT2KEY
NEXTKEY CONNECTED FROM RULE KEY: NEXTBASE
STORED: 11/20/20-12:49 BY: USER002
CONTROLS: $PREFIX(NEXTBASE.TEST)
CMGRDMRT.- UID(uid of user002) READ(A) WRITE(A) EXEC(A)
NO LOGONIDS MATCH
CMGRDMRT.- UID(uid of user002) READ(A) WRITE(A) EXEC(A)
USER002(U,NC,SE) USER0020(U,NC,SE)
The ACCESS command with the same dataset NEXTBASE.TEST.CMGRDMRT:
ACF
ACCESS DSNAME('NEXTBASE.test.CMGRDMRT')
ACCESS Subcommand Results as of 11/20/20-12:49 for: NEXTBASE.TEST.CMGRDMRT
Key: NEXTBASE
Ruleline: TEST.- UID(*) NEXTKEY(NEXT2KEY)
Nextkey: NEXT2KEY
Prefix: NEXTBASE.TEST
Ruleline: CMGRDMRT.- UID(uid of user0022) READ(A) WRITE(A) EXEC(A)
Lids: No logonids found
Ruleline: CMGRDMRT.- UID(uid of user002) READ(A) WRITE(A) EXEC(A)
Lids: USER002 USER0020
Return from NEXTKEY: NEXT2KEY
Key: NEXTBASE
RULE
Additional Information
For details on the ACFRPTXR report see section 'ACFRPTXR-The Cross-Reference Report' in the ACF2 documentation.
For details on the ACCESS subcommand see section 'ACCESS Subcommand' in the ACF2 documentation.
Feedback
