search cancel

Cancelling jobs in SDSF using ACF2, but the rule does not work, giving a violation instead.

book

Article ID: 32012

calendar_today

Updated On:

Products

ACF2 ACF2 - z/OS ACF2 - MISC

Issue/Introduction

Problem:

When using SDSF to cancel jobs and STC's.  Rules were written for this as documented in the CA ACF2 Administrator's Guide, Appendix C, Protecting Operator Commands, but for JES2 commands.  The documentation shows:

$key(mvs) type(opr)
 cancel.job.- uid(oper) service(update) allow
 cancel.stc.- uid(oper) service(update) allow
 
Rule was written:

$key(jes2) type(opr)
 cancel.job.- uid(oper) service(update) allow
 cancel.stc.- uid(oper) service(update) allow
 
But still get a violation:
 
ACF04056 ACCESS TO RESOURCE JES2.CANCEL.STC TYPE ROPR BY logonid NOT AUTHORIZED

Environment

Release:
Component: ACF2MS

Resolution

When the resource call is made from z/OS, the resource name for JES2 commands is different then MVS commands.  MVS commands are in the format of:
 
MVS.CANCEL.JOB.jobname
MVS.CANCEL.STC.jobname
 
while JES2 commands are in the format of:
 
JES2.CANCEL.JOB
JES2.CANCEL.STC
 
The resource name for the JES2 commands does not have the granularity that MVS commands do which include the jobname or STC name.  ACF2 cannot change this since this is a z/OS call.  So the JES2 commands will allow the cancellation of ALL batch jobs and STC's.  MVS commands can be selective.

 

Additional information:

For more information on securing commands in SDSF, see technical document KB28218