The ACCESS subcommand simulates validation for users that match the UID mask, ROLE, or USER on each matching rule line.
The ACCESS subcommand simulates validation for users that match the UID mask, ROLE, or USER on each matching rule line. If a logonid matches a rule line, the logonid is not listed for subsequent rule lines that the logonid matches. The exceptions to this rule include:
- Rule lines that contain environment variables such as, PROGRAM, SHIFT, and RECCHECK.
- Rule lines with the ROLE keyword lists logonids under the ROLE each time the ROLE is encountered in a rule line.
ACCESS DSNAME('DSNAME') RESOURCE('RESOURCE') TYPE('TYPE') CLASS('CLASS') SYSID('SYSID')
- DSname(dsname)Specifies the name of a data set. Masking is not allowed. The data set name can be with or without quotes. If quotes are not used, the prefix of the command issuer is used as the high-level qualifier of the data set. A data set name can have from 1 to 22 levels of qualifiers. Each level must begin with an alphabetic character or the following characters:
- Resource(resourcename)Specifies the name of a generalized resource or DB2 resource.
- Type(typecode)Specifies the one- to three-character resource type of the resource.
- Class(class)Specifies the one-character class of the resource. The supported classes for the ACCESS subcommand are R for generalized resources and D for DB2 resources. Class and Sysid are required when specifying a DB2 resource.Default:R
- Sysid(sysid)Specifies the one- to four-character DB2 subsystem ID. Class and Sysid are required when specifying a DB2 resource.
Example: Identify who has write access
The Information System Security Office is responsible for ensuring write access to LINKLIST libraries is limited to system programmers. The ACCESS subcommand lets you identify who has write access to LINKLIST libraries:
ACF ACCESS DSN('LINKLIST') ACCESS Subcommand Results as of 03/15/21-2:20 for: LINKLIST LIBRARIES $KEY: SYS1 Ruleline:LINKLISTLIBRARIES UID(*****SYSPROG) READ(A) WRITE(L) ALLOC(L) EXEC(A) Ruleline:LINKLISTLIBRARIES UID(*****SECADMN) USER(ADMIN01) READ(A) ACF
In this example, two rule lines matched DSN(LINKLIST) but only the UID SYSPROG mask has write access.
Example: Enable ACCESS Subcommand
To enable the ACCESS subcommand, you must define the GSO OPTS record ACCESS field, refresh the record, and issue the NEWUID operator command. The GSO OPTS record ACCESS field specifies if the ACCESS subcommand is enabled for processing. The NEWUID operator command builds the cross-reference tables to associate UIDs with logonids.
ACF SET CONTROL(GSO) CHANGE OPTS ACCESS F ACF2,REFRESH(OPTS) F ACF2, NEWUID