ACFRPTXR-The Cross-Reference Report

1
acf2src
1
ACFRPTXR determines who has access to a specified data set or resource, based on standard CA ACF2 security controls. For each data set or resource specified, ACFRPTXR finds the associated rules and displays the logonids whose UID strings match the UID parameter in the rule.
The ACFRPTXR report will process every rule entry in the rule that matches the data set specified. The ACFRPTXR report will not stop processing after a matching PREVENT rule entry is found.
Checking Authorizations
The user running the report must have the SECURITY, ACCOUNT, or AUDIT attribute to use the online data sets. Additionally, only logonid records and rule records that the user normally has CA ACF2 access to are processed for the report. Rule and logonid records outside the scope of the requester do not appear on reports run in “ACF2” mode.
Exit Considerations
ACFRPTXR does not support any user data set or resource validation exits, except in the case of alternate rule selection. This situation usually arises when a user data set prevalidation exit changes the rule key used to validate access to a data set. ACFRPTXR has parameters to simulate this situation where desired. Other results displayed are subject to alteration due to local exit coding.
For each data set or resource that ACFRPTXR processes, a report is generated detailing the input parameters specified and information about the applicable rule set. ACFRPTXR checks each rule entry on an individual basis and compares the User identification string (UID) in each rule entry to the UID of each logonid record. If the UIDs match, the rule is considered applicable to the logonid processed and the entire rule is printed with the logonid.
Whenever an applicable rule is found, ACFRPTXR prints the rule. If the LID parameter is specified, ACFRPTXR also lists all logonids that match the UID of the data set or resource processed, or that have any special CA ACF2 authorizations. A reason code indicating why the access is permitted is listed for each logonid.
Running the Report Using the ISPF Panel
You can use the ACFRPTXR ISPF panel to create input for the report. The following parameters can be found on the ACFRPTXR ISPF panel.
TITLE
Specifies a character string added to other title information at the top of the report. This character string can be up to 35 characters in length. If you do not specify this parameter, the report generator uses the first 35 characters in the PARM field of the EXEC statement. If this character string is longer than 35 characters, only the first 35 characters are used.
ACF2
Specification of this parameter is required.
ACF2 indicates that ACFRPTXR use the online CA ACF2 clusters. The CA ACF2 system must be active on this CPU for this type of processing.
Running the ACFRPTXR report with this parameter can affect performance.
NOACF2 indicates that the report is based on alternate databases provided by the RULES, LOGONIDS, or INFOSTG input files. When alternate databases are specified as input, ACFRPTXR does not take scope records into consideration when access authorization checking is performed.
RRSUM
Specifies that the additional Rule Record Summary portion of ACFRPTXR is produced at the end of the report. This includes an entry for each rule record (that is, high-level index, $KEY value, or resource TYPE, NAME, and CLASS combination) used in producing the report. This portion of the report is also where the detailed logonid lists for each %CHANGE or %RCHANGE record encountered are displayed (assuming the LID option is also specified). Thus, when the message %CHANGE DATA EXISTS or %RCHANGE DATA EXISTS appears in the main part of the report after the RULE KEY line, the related LID and UID entries are printed in the Rule Record Summary.
LID
LID indicates that ACFRPTXR is to create a cross-reference report and list all of the logonids that have access to the specified data set or resource.
NOLID suppresses the listing of logonids. Only the applicable rule sets are listed.
DSET
DSET specifies that ACFRPTXR process data set access rules. The DSN, RKEY, and VOL input parameters might be provided using the JCL parameter field or the SYSDSLST input file. See also the DSN, RKEY, and VOL parameters in the following.
RSRC specifies that ACFRPTXR process resource rule sets and CA ACF2 for DB2 rule sets. The TYPE, NAME, and CLASS input parameters might be provided through either the JCL parameter field or the SYSRSLST input file. See also the TYPE, NAME, and CLASS parameters in the following.
DEFROLE
Specifies that ACFRPTXR uses the active ROLE records defined on the active CA ACF2 system for reports run against the off-line databases. When the alternate databases are specified as input (NOACF2 parameter) and DEFROLE is not specified, ACFRPTXR does not take any ROLE records into consideration when access authorization checking is performed.
For reports run against the online databases (ACF2 parameter), the active CA ACF2 ROLE records are always utilized.
LIDNAME
Produces a combined list of all logonids and their complete logonid name that have access to the specified data set or resource. LIDNAME is only active when LID is specified. Select N(No) to produce the condensed list of the LIDs. Select Y(Yes) to produce a larger output of the LIDs and their complete logonid name.
NEXTKEY
Indicates that the NEXTKEY rule chain will be reported. Use of the NEXTKEY report parameter may significantly expand the report output.
NOUIDALL
Indicates that the rule lines specifying a UID(*), USER(-) or ROLE(-) will be suppressed. Use of the NOUIDALL report parameter filters the report output.
DATA SET NAME
Specifies that ACFRPTXR uses a single data set name without the need for the SYSDSLST file. This parameter is valid only when the DSET parameter is also specified and cannot be used with the SYSDSLST input file. The name specified must be fully qualified (regardless of time sharing option) but must not be specified in quotes. The data set name high-level index name is used as the key to identify the applicable access rule set unless the RKEY parameter (see the following) is also specified. In the case where the listing of a full rule set for a particular $KEY is desired, the DSN field must be defined as DSN(-) and the applicable $KEY value defined in the RKEY parameter.
RKEY
Specifies this parameter is valid only when the DSET parameter is also specified. RKEY has two uses:
  • RKEY is used with the DSN parameter to specify the key of the rule set used to validate the data set access. This is similar to the concept of using the CA ACF2 Data Set Prevalidation exit to perform the same function at run time. Usually, the only necessity to specify RKEY is when some rule record other than the one under the data set high-level index is to be used for rule checking.
  • RKEY is used with a DSN parameter of dash (-) when you want to list all the rule entries for a particular key.
VOLSER
Specifies the volume serial number of the volume where the data set resides. If no volume serial is specified, all volume information in the access rule set is ignored (volume masks specified in the rules are all considered as matches). VOL is valid only when the DSET parameter is also specified.
TYPE
Specifies the three-character resource type processed. TYPE is valid only when the RSRC and NAME parameters are also specified. If TYPE, NAME, and CLASS are not specified, the SYSRSLST file is used for input.
CLASS
Specifies the one-character storage class code of the resource processed. The default code is R (for resource rules). The storage class code for CA ACF2 for DB2 rule sets is D (for DB2). If TYPE, NAME, and CLASS are not specified in the JCL parameter field, the SYSRSLST file is used for input. TYPE, NAME, and CLASS cannot be specified in both the JCL parameter field and the SYSRSLST file.
NAME
Specifies the name of the resource processed. NAME is valid only when used with the RSRC, TYPE, and CLASS parameters. For CA ACF2 for DB2 rules, the NAME is the DB2 subsystem ID (SYSID) concatenated with the resource name ($KEY). You can specify NAME as a dash (-) to process every name present in the specified TYPE. This field is maskable with asterisks. Masking with an asterisk follows normal masking conventions. If TYPE, NAME, and CLASS are not specified in the JCL parameter field, the SYSRSLST file is used for input. You cannot specify TYPE, NAME, and CLASS in both the JCL parameter field and the SYSRSLST file.
OUTPUT LIST NAME: LIST ID
Specifies the one- to eight-character output list name. ISPF prefixes the name you specify with the user's prefix from his profile and the characters ACF2.ACFRPTXR. For example, if you specify TEST as the output list name, your output list data set name is dft-pfx.ACF2.ACFRPTXR.TEST.
Running the Report Using JCL
You can use JCL instead of the ISPF panel to run the ACFRPTXR report. To run the ACFRPTXR report, see the documentation about using sample JCL to execute reports. The following are the parameters for this report.
{ACF2|NOACF2}
Specification of this parameter is required.
ACF2 specifies that ACFRPTXR use the online CA ACF2 clusters. The CA ACF2 system must be active on this CPU for this type of processing.
CAUTION! Running the ACFRPTXR report with ACF2 specified can affect performance.
NOACF2 specifies that the report is based on alternate databases provided by the RULES, LOGONIDS, or INFOSTG input files. When alternate databases are specified as input, ACFRPTXR does not take scope records into consideration when access authorization checking is performed.
[DSET|RSRC]
DSET specifies that ACFRPTXR process data set access rules. The DSN, RKEY, and VOL input parameters might be provided using the JCL parameter field or the SYSDSLST input file. See also the DSN, RKEY, and VOL parameters in the following.
RSRC specifies that ACFRPTXR process resource rule sets and CA ACF2 for DB2 rule sets. The TYPE, NAME, and CLASS input parameters might be provided through either the JCL parameter field or the SYSRSLST input file. See also the TYPE, NAME, and CLASS parameters in the following.
[DSN(dsn)]
Specifies that ACFRPTXR use a single data set name without the need for the SYSDSLST file. This parameter is valid only when the DSET parameter is also specified and cannot be used with the SYSDSLST input file. The name specified must be fully qualified (regardless of time sharing option) but must not be specified in quotes. The data set name high-level index name is used as the key to identify the applicable access rule set unless the RKEY parameter (see the following) is also specified. In the case where the listing of a full rule set for a particular $KEY is desired, the DSN field must be defined as DSN(-) and the applicable $KEY value defined in the RKEY parameter.
[LID|NOLID]
LID indicates that ACFRPTXR is to create a cross-reference report and list all of the logonids that have access to the specified data set or resource.
NOLID suppresses the listing of logonids. Only the applicable rule sets are listed.
[LIDNAME]
Produces a combined list of all logonids and their complete logonid name that have access to the specified data set or resource. LIDNAME is only active when LID is specified. When LIDNAME is not specified in the parameter list , the condensed list of the LIDs is produced.
[NAME(name)]
Specifies the name of the resource processed. NAME is valid only when used with the RSRC, TYPE, CLASS parameters. For CA ACF2 for DB2 rules, the NAME is the DB2 subsystem ID (SYSID) concatenated with the resource name ($KEY). You can specify NAME as a dash (-) to process every name present in the specified TYPE. This field is maskable with asterisks. Masking with an asterisk follows normal masking conventions. If TYPE, NAME, and CLASS are not specified in the JCL parameter field, the SYSRSLST file is used for input. You cannot specify TYPE, NAME, and CLASS in both the JCL parameter field and the SYSRSLST file.
[NEXTKEY]
Indicates that the NEXTKEY rule chain will be reported. Use of the NEXTKEY report parameter may significantly expand the report output. The default is NEXTKEY is not enabled and the NEXTKEY rule chain will not be reported.
[NOUIDALL]
Indicates that rule lines specifying a UID(*), USER(-) or ROLE(-) will be suppressed. Use of the NOUIDALL report parameter filters the report output. The default is NOUIDALL is not enabled and all the rule lines that match the criteria will be reported.
[RKEY(rule-key)]
Specifies this parameter is valid only when the DSET parameter is also specified. RKEY has two uses:
RKEY is used with the DSN parameter to specify the key of the rule set used to validate the data set access. This is similar to the concept of using the CA ACF2 Data Set Prevalidation exit to perform the same function at run time. Usually, the only necessity to specify RKEY is when some rule record other than the one under the data set high-level index is to be used for rule checking.
RKEY is used with a DSN parameter of dash (-) when you want to list all the rule entries for a particular key.
[RRSUM|NORRSUM]
Specifies that the additional Rule Record Summary portion of ACFRPTXR is produced at the end of the report. This includes an entry for each rule record (that is, high-level index, $KEY value, or resource TYPE, NAME, and CLASS combination) used in producing the report. This portion of the report is also where the detailed logonid lists for each %CHANGE or %RCHANGE record encountered are displayed (assuming the LID option is also specified). Thus, when the message %CHANGE DATA EXISTS or %RCHANGE DATA EXISTS appears in the main part of the report after the RULE KEY line, the related LID and UID entries are printed in the Rule Record Summary.
[CLASS(R|class)]
Specifies the one-character storage class code of the resource processed. The default code is R (for resource rules). The storage class code for CA ACF2 for DB2 rule sets is D (for DB2). If TYPE, NAME, and CLASS are not specified in the JCL parameter field, the SYSRSLST file is used for input. TYPE, NAME, and CLASS cannot be specified in both the JCL parameter field and the SYSRSLST file.
[TYPE(type)]
Specifies the three-character resource type processed. TYPE is valid only when the RSRC and NAME parameters are also specified. If TYPE, NAME, and CLASS are not specified in the JCL parameter field, the SYSRSLST file is used for input. TYPE, NAME, and CLASS cannot be specified in both the JCL parameter field and the SYSRSLST file.
[VOL(volser)]
Specifies the volume serial number of the volume where the data set resides. If no volume serial is specified, all volume information in the access rule set is ignored (volume masks specified in the rules are all considered as matches). VOL is valid only when the DSET parameter is also specified.
[DEFROLE]
Specifies that ACFRPTXR uses the active ROLE records defined on the active CA ACF2 system for reports run against the off-line databases. When the alternate databases are specified as input (NOACF2 parameter) and DEFROLE is not specified, ACFRPTXR does not take any ROLE records into consideration when access authorization checking is performed.
For reports run against the online databases (ACF2 parameter), the active CA ACF2 ROLE records are always utilized.
Common Parameters
ACFRPTRX accepts the LINECNT, SYSID, and TITLE common parameters. For JCL, ACFRPTRX accepts parameters from the JCL parameter field and the SYSIN file in combination.
Input and Output Files
ACFRPTXR accepts input from several sources. The standard SYSIN file can process one data set name or resource. The SYSUT2 file defines work space for resource processing. For processing multiple data sets, use the SYSDSLST file. For processing multiple resource types, use SYSRSLST. All output from ACFRPTXR is written to the SYSPRINT file.
ACFRPTXR is used to examine the access controls in place during a given time frame. Historical data is specified as input through the LOGONIDS, RULES, and INFOSTG files. To use this facility, the appropriate CA ACF2 databases are built from SMF backup files or from backup copies of the CA ACF2 databases. The ACFRECVR utility is used to build these databases. Scope records are not taken into consideration when ACFRPTXR processes input data from the LOGONIDS, RULES, or INFOSTG files.
SYSPRINT
Used for message and report output. If ACFRPTXR is run in a TSO environment and this file is not allocated, the report output is directed to a TSO terminal.
SYSIN
The SYSIN file is used to specify input parameter information for ACFRPTXR. ACFRPTXR accepts all parameter input from the SYSIN file, the JCL parameter field, or both. The parameters specified in the SYSIN file supersede those specified in the JCL parameter field.
If ACFRPTXR is run under TSO and the SYSIN file is not allocated to a TSO terminal, ACFRPTXR prompts for input parameter information at the terminal by the string “XR?”
SYSDLST
SYSDSLST is an optional file used to specify a list of data set names processed by ACFRPTXR. This file is used only when the DSET input parameter is selected. Operation of ACFRPTXR for a single data set is specified in the JCL parameter field. If the DSN parameter is not specified on the JCL parameter field, ACFRPTXR expects to process the SYSDSLST input file. With this facility, you can process a list of multiple data set names. This type of processing is useful when all the data sets in the system are requested. Large volume requests should not be done online. The format of the SYSDSLST input statement is:
dsn [vol] RKEY(rule-key)
In this format, the dsn and vol parameters are positional (that is, must appear in this sequence and before RKEY, if present).
dsn
The name specified must be fully qualified (regardless of time sharing option) but must not be specified in quotes. The data set name high-level index name is used as the key to identify the applicable access rule set unless the RKEY parameter is also specified. In the case where the listing of a full rule set for a particular $KEY is desired, the DSN field must be defined as '-' and the applicable $KEY value defined in the RKEY parameter. For example:
//SYSDSLST DD* -RKEY(SYS1) -RKEY(SYS2)
vol
Specifies the name of the volume where the data set resides. If omitted, all volser specifications in the access rule set are ignored (all match).
RKEY(rule-key)
Specifies an alternate access rule key instead of the data set high-level index.
Note: If ACFRPTXR is run under TSO and the SYSDSLST file is not allocated or is allocated to a TSO terminal, ACFRPTXR prompts for input at the terminal with the string “DS?” Do not specify this file if the DSN, RKEY, or VOL parameters are specified in the JCL parameter field. For batch jobs, the job terminates with an error message if one of the following is not specified: the JCL parameter field, the SYSIN file, or SYSDSLST.
Directs ACFRPTRX to use the current online CA ACF2 databases to make its determinations. Alternately, other prebuilt VSAM clusters are provided to ACFRPTRX for this purpose. The LOGONIDS file should point to an alternate Logonid database. This is valid only when NOACF2 is specified.
SYSRSLST
SYSRSLST is an optional file that specifies a list of resource names. The SYSRSLST file is valid only when used with the RSRC input parameter. If only one resource name is processed, specify the resource in the TYPE, NAME, and CLASS parameter fields. The format of SYSRSLST input is as follows:
TYPE(type) NAME(name) [CLASS(R|class)]
The type, name, and class parameters are positional (that is, must appear in this sequence).
type
Three-character resource type processed. For example, TYPE(ITR) represents resource rule sets for IMS transactions. TYPE(SYS) represents CA ACF2 for DB2 rule sets for DB2 system privileges and utilities.
name
Key where the rule is stored. For example, TYPE(ITR) NAME(ACFR) specifies that an access report be produced for the IMS transaction named ACFR. For CA ACF2 for DB2 rule sets, the NAME parameter is the DB2 subsystem ID (SYSID) concatenated with the resource name ($KEY). You can specify the NAME parameter as NAME(-), resulting in a cross-reference report entry for each resource name stored under a particular resource type. This field is maskable with asterisks. Masking with an asterisk follows normal masking conventions.
class
Storage class where the rule set is stored. The default is R (for resource rule sets). The storage class code for CA ACF2 for DB2 rule sets is D (for DB2). For more information on rules sets, see CA ACF2 Option for DB2.
Note: If ACFRPTXR is run under TSO and the SYSRSLST file is not allocated or is allocated to a TSO terminal, ACFRPTXR prompts for input at the terminal with the string “RS?” Do not specify this file if the TYPE, NAME, and CLASS parameters are specified in the JCL parameter field. For batch jobs, the job terminates with an error message if one of the following is not specified: the JCL parameter field, the SYSIN file, or SYSRSLST.
SYSUT1
This is one of two scratch files required by ACFRPTXR.
SYSUT2
Scratch file that stores the decompiled rule sets for ACFRPTXR.
LOGONIDS
The LOGONIDS file is used to direct ACFRPTXR to use the current online CA ACF2 databases to make determinations. Alternately, other prebuilt VSAM clusters are provided to ACFRPTXR for this purpose. The LOGONIDS file should point to an alternate Logonid database. This is valid only when NOACF2 is specified.
RULES
The RULES file is used with the LOGONIDS file to have ACFRPTXR operate on historical data. The RULES file is valid only when the DSET and NOACF2 parameters are specified. The RULES file should point to an alternate Rule database.
INFOSTG
The INFOSTG file is used with the LOGONIDS file and directs ACFRPTXR to operate on historical data. INFOSTG is valid only when the RSRC and NOACF2 parameters are specified. The INFOSTG file should point to an alternate Infostorage database.
Sample Output
This section provides sample JCL, report output, and rule record summary information for data set access cross-reference and resource cross-reference reports. In addition, other processing options are described.
Data Set Access Cross-Reference Report
The following JCL produces the sample Data Set Access Cross-Reference report followed by the rule record summary. Other processing options are also described.
//SAMPLE JOB 1,'ACFRPTXR REPORT',MSGCLASS=A //* //* THIS JOB PRODUCES THE ACFRPTXR CROSS-REFERENCE REPORT FOR //* DATA SET SYS1.LINKLIB //* //REPORT EXEC PGM=ACFRPTXR, // PARM='DSET,ACF2,RRSUM,DSN(SYS1.LINKLIB)' //* //SYSPRINT DD SYSOUT=A //SYSUT2 DD UNIT=SYSDA,SPACE=(CYL,(2,2)),DCB=BUFNO=30
Sample Data Set Access Cross-Reference Output
On the following sample report, three rule entries were found that applied to the specified data set, SYS1.LINKLIB. Each rule entry and its applicable authorities, conditions, and a list of matching logonids are displayed. Information entries also appear for each new high-level index (after the RULE KEY line) whenever the rule set contains a %CHANGE, %RCHANGE, $NOSORT, $OWNER, $MODE, $PREFIX, or $USERDATA entry.
On the following sample report, three rule entries were found that applied to the specified data set, SYS1.LINKLIB. Each rule entry and its applicable authorities, conditions, and a list of matching logonids are displayed. Information entries also appear for each new high-level index (after the RULE KEY line) whenever the rule set contains a %CHANGE, %RCHANGE, $NOSORT, $OWNER, $MODE, $PREFIX, or $USERDATA entry
CA ACF2 UTILITY LIBRARY - ACFRPTXR - CROSS-REFERENCE REPORT - PAGE 1 DATE 02/18/02 (02.049) TIME 09.11 SAMPLE OF XR REPORT ---------------------------------------------------------------- DATA SET: SYS1.LINKLIB STORED: 01/15/02-16:41 BY: NPDLLV CONTROLS: %CHANGE DATA EXISTS %RCHANGE DATA EXISTS $MODE(ABORT) LOGONIDS THAT HAVE ACCESS WITHOUT RULES ACFSTCID(NC) ACFUSER(SE) ADMJM(SC) BACKUP(NC) CICSCVT(NC,SE) NET(NC) NPDLLV(SE) SECOFF(SE) TLC001(NC) TLC004(NC) TLCJD(RA) TSSISO(NC) LINKLIB UID(PAY**TLC) LIB(LINKLIB) PGM(HMASMP) READ(A) WRITE(L) EXEC(A) TLC001(U,NC) TLC002 TLC0031 TLC004(U,NC) TLCDF TLCFAS TLCJD(U,RA) TLCJD1 TLCJEC TLCKGS TLCLP TLCNJG TLCPK TLCRJT TLCRMC LINKLIB UID(PAY**T) PGM(HMASMP) READ(A) WRITE(L) EXEC(A) TLC001(U,NC) TLC002 TLC0031 TLC004(U,NC) TLCDF TLCFAS TLCJD(U,RA) TLCJD1 TLCJEC TLCKGS TLCLP TLCNJG TLCPK TLCRJT TLCRMC TSSISO(U,NC) TSSLLM
When the LIDNAME option is specified a larger output will be produced containing the complete logonid name appended to the LID. For example:
CA ACF2 Security - ACFRPTXR - CROSS REFERENCE REPORT - PAGE 1 DATE 05/30/05 (05.150) TIME 04.35 SAMPLE OF XR REPORT DATASET: SYS1.LINKLIB STORED: 06/11/02-11:11 BY: SAMWI01 CONTROLS: %CHANGE DATA EXISTS $MODE(ABORT) LOGONIDS THAT HAVE ACCESS WITHOUT RULES ACFBKUP(NC) ACF2 BKUP PROC ACFSTCID(NC) *** STC DEFAULT *** ACF2PC(NC) ACF2 PC STC CATCPIP(NC) 'TCP ACCESS' CA11PROD(NC) 'CA11 TASK' CCISSLGW(NC) 'CCI V.2' CCITCP(NC) CCI TCPIP TLC01(NC) TLC USER01 NON-CNC - VOL(DSK***) UID(*****QAG) READ(A) WRITE(A) EXEC(A) QAUSER1 ACF QA USER # 01 QAUSER2 ACF QA TEST # 02 LINKLIB UID(PAY**TLC) LIB(LINKLIB) PGM(HMASMP) READ(A) WRITE(L) EXEC(A) TLC001(U,NC) TLC USER 0001 TLC002 TLC USER 00002 TLC0031 TLC USER 0031 TLC004(U,NC) TLCDF TLC USER DEFAULT TLCJD(U,RA) TLC USER J.DOE
Sample Data Set Rule Lines with &LID Qualifiers
Data set rule lines can contain &LID qualifiers. For rule lines that contain &LID as one of the data set qualifiers, the output is dependent on the input, as follows:
Input specifies that all accesses for a certain high level qualifier should be shown (see Example 1 below)
A specific data set name was specified on the input (see Examples 2a and 2b below)
For the following examples, let’s assume the following rule exists:
$KEY(SOMEDSN) ABC.&LID UID(*****BXX) READ(A) EXEC(A) XYZ.&LID UID(*) READ(A) EXEC(A) Example 1 – all accesses for a certain high level qualifier should be shown Input parameters: 'ACF2,DSET,RKEY(SOMEDSN)'
ABC.&LID UID(*****BXX) READ(A) EXEC(A) BXX0001 BXX0002 BXX0003 BXX0004 XYZ.&LID UID(*) READ(A) EXEC(A) ALL LOGONIDS MATCH SPECIFIED UID STRING In Example 1, there is no specific data set given on the input. &LID can match any logonid, depending on the actual data set name when a real validation takes place. Example 2a – a specific dataset name was specified on the input Input parameters: 'ACF2,DSN(SOMEDSN.ABC.BXX0002)'
ABC.&LID UID(*****BXX) READ(A) EXEC(A) BXX0002 Example 2b – a specific dataset name was specified on the input Input parameters: 'ACF2,DSN(SOMEDSN.XYZ.BXX0002)'
XYZ.&LID UID(*****BXX) READ(A) EXEC(A) BXX0002
In Examples 2a and 2b, the report is given a specific data set name. Therefore the &LID rule lines can only match the input data set names. Since the BXX0002 qualifier in the input data set name aligns with the &LID qualifier in the rule line, only the BXX0002 logonid is given access to the specific data set via the rule line.
Sample Data Set Access Rule Record Summary
Additional information about the %CHANGE and %RCHANGE users appears in the optional Rule Record Summary portion of the report. Also, if the input request included a volume name and a volume name rule also exists (@volser.VOLUME), this information is indicated after the RULE KEY line.
CA ACF2 UTILITY LIBRARY - ACFRPTXR - CROSS-REFERENCE REPORT - PAGE 1 DATE 02/18/02 (02.049) TIME 09.11 SAMPLE OF XR REPORT -------------------------------------------------------------------- DATA SET KEY: SYS1 STORED: 01/15/02-16:41 %CHANGE DATA BEING PROCESSED LOGONIDS THAT UPDATE THIS RULE WITHOUT ANY %CHANGE OR %RCHANGE ACFUSER(SE) CICSCVT(NC,SE) NPDLLV(SE) SECOFF(SE) %CHANGE *****SECOFF SECOFF(U,SE) LOGONIDS THAT CAN UPDATE RULE ENTRIES IN THIS RULE %RCHANGE *****TLCFAS
When the LIDNAME option is specified, a larger output is produced containing the complete logonid name appended to the LID. For example:
CA ACF2 Security - ACFRPTXR - CROSS REFERENCE REPORT - PAGE 1 DATE 05/30/05 (05.150) TIME 04.35 SAMPLE OF XR REPORT DATA SET KEY: SYS1 STORED: 01/15/02-16:41 %CHANGE DATA BEING PROCESSED LOGONIDS THAT UPDATE THIS RULE WITHOUT ANY %CHANGE OR %RCHANGE ACFUSER(SE) COMPUTER ASSOCIATES CICSCVT(NC,SE) CICS STC REGION NPDLLV(SE) SECOFF(SE) SECURITY OFFICER %CHANGE *****SECOFF SECOFF(U,SE) SECURITY OFFICER LOGONIDS THAT CAN UPDATE RULE ENTRIES IN THIS RULE %RCHANGE *****TLCFAS TLC0003(U) TLC USER 0003
Using PARM statement for report parameters.
//REPORT EXEC PGM=ACFRPTXR,PARM=('TITLE(SAMPLE ACFRPTXR)', // 'ACF2,DSET,LIDNAME') //SYSPRINT DD SYSOUT=* //SYSSUT DD UNIT=SYSDA,SPACE=(CYL,(2,2)),DCB=BUFNO=5 //SYSUT2 DD UNIT=SYSDA,SPACE=(CYL,(2,2)),DCB=BUFNO=5 //SYSDSLST DD * SYS1.PARMLIB SYS1.PROCLIB
Using SYSIN file for Dataset report parameters.
//REPORT EXEC PGM=ACFRPTXR //SYSPRINT DD SYSOUT=* //SYSUT1 DD UNIT=SYSDA,SPACE=(CYL,(2,2)),DCB=BUFNO=5 //SYSUT2 DD UNIT=SYSDA,SPACE=(CYL,(2,2)),DCB=BUFNO=5 //SYSDSLST DD * SYS.PARMLIB SYS1.PROCLIB //SYSIN DD * TITLE(SAMPLE DATASET ACFRPTXR) ACF2 DSET LIDNAME //*
Using SYSIN file for Dataset report parameters
//REPORT EXEC PGM=ACFRPTXR //SYSPRINT DD SYSOUT=* //SYSUT1 DD UNIT=SYSDA,SPACE=(CYL,(2,2)),DCB=BUFNO=5 //SYSUT2 DD UNIT=SYSDA,SPACE=(CYL,(2,2)),DCB=BUFNO=5 //SYSIN DD * TITLE(SAMPLE RESOURCE ACFRPTXR) ACF2 RSRC TYPE(FAC) NAME(BPX.CONSOLE) LIDNAME CLASS(R) //*
Using SYSIN file for Resource report parameters for multiple Resource Keys
//REPORT EXEC PGM=ACFRPTXR,REGION=0M //SYSPRINT DD SYSOUT=* //SYSUT1 DD UNIT=SYSDA,SPACE=(CYL,(100,100)) DCB=BUFNO=30 //SYSUT2 DD UNIT=SYSDA,SPACE=(CYL,(500,500)) DCB=BUFNO=30 //SYSRSLST DD *,DCB=BLKSIZE=80 TYPE(ITP) NAME(CDA) TYPE(ITP) NAME(TRAN2) TYPE(ITP) NAME(TRAN3) //SYSIN DD * ACF2 RSRC CLASS(R) LID LIDNAME NEXTKEY //*
Report Output Field Descriptions
BY
The logonid of the user who last changed this rule record.
CONTROLS
Lists the control statements specified in the rule set which includes the following: $LIDOWNER, $UIDOWNER, $MEMBER, $MODE, $NORULELNG, $NOSORT, $OWNER, $PREFIX, $RECNAME, $RESOWNER, $USERDATA, %CHANGE and %RCHANGE. %CHANGE and %RCHANGE users are listed in the Rule Record Summary portion of the report.
DATA SET
The fully qualified data set name for the requested report. This field appears only in the Data Set Access Cross-Reference Report.
lid1 through lidn
The individual logonids and their complete logonid name if present in the database, that have access to the specified data set or resource because they match the UID in the rule (U or nothing after the logonid) or because of other special CA ACF2 privileges (NC, O, RA, SC, or SE after the logonid). The listing of individual logonids matching each rule entry is optional (see LID|NOLID option.)
When LID and LIDNAME are specified, then the individual logonids matching each rule are appended by their complete logonid name.
NEXTKEY CONNECTED FROM RULE KEY
This line indicates the rule is part of a NEXTKEY chain of rule sets and reports the key of the rule containing a rule line with the NEXTKEY that points to this rule. It specifies only the first key found chaining the current rule with a NEXTKEY. If NEXTKEY and either a DSN(-) or NAME(-) is specified, the NEXTKEY rule will not be expanded, since it will have been expanded in the previous section of the report.
(rc)
The reason codes specifying why CA ACF2 permits this logonid to have access to this data set or resource. If a code does not appear on the report, the user has access only as specified by that rule. Possible codes are:
  • O-Owner (“owned data set” PREFIX matches or $LIDOWNER or $UIDOWNER control statement of CA ACF2 for DB2 rules match).
  • NC-Non-Cancelable (NON-CNCL attribute).
  • RA-Read-Only Logonid (READALL attribute). This reason code applies only to data set access rules.
  • SC-Scoped Security Officer (SECURITY attribute and matching SCPLIST value).
  • SE-Unrestricted Security Officer (SECURITY attribute and no SCPLIST value).
  • U-UID match (user's UID matches rule UID parameter). Not listed if only condition met.
  • USER-user match (user is included in the USER parameter specified on the rule line).
  • ROLE-role match (user is included in the ROLE parameter specified on the rule line).
RESOURCE NAME
The name of the resource processed. This field is shown only for the Resource Cross-Reference Report.
RESOURCE TYPE
The type of resource processed. This field is shown only for the Resource Cross-Reference Report.
rule entry
The matching rule entry as it appears in the rule record. Possible fields that could appear in an access rule entry are:
DSN VOLUME(volser-mask) UID(uid-mask) SOURCE(source-mask) SHIFT(shift-name) - LIBRARY(lib-mask) PGM(pgm-mask)|PROGRAM(pgm-mask) - DDNAME(ddname-mask) UNTIL(date)|FOR(days) ACTIVE(date) - DATA(text) READ(Allow|Log|Prevent) WRITE(Allow|Log|Prevent) -ALLOCATE(Allow|Log|Prevent) EXECUTE(Allow|Log|Prevent) NEXTKEY(next-key) Possible fields that could appear in a resource rule entry are: UID(uid-mask) SOURCE(source-mask) SHIFT(shift-name) - SERVICE(Read,Update,Add,Delete) DATA(text) - UNTIL(date)|FOR(days) ACTIVE(date) VERIFY Allow|Log|Prevent Possible fields that could appear in a CA ACF2 for DB2 rule entry are: UID(uid-mask) SHIFT(shift-name) UNTIL(date)|FOR(days) ACTIVE(date) - SERVICE(keyword1,...,keywordn) COLUMN(column1,...,columnn) DATA(text) - Allow|Log|Prevent
For more information about rules sets, see the CA ACF2 Option for DB2.
RULE KEY
The key where the rules were searched. This key is normally the same as the $KEY value of the resource rule, data set access rule, or CA ACF2 for DB2 rule. For data set access rules, however, the rule key might not be equivalent to the $KEY value, because the RKEY parameter option can specify that an alternate $KEY be used to test the access criteria for a data set. In this case, the rule key shown on the report is the value specified in the RKEY parameter.
STORED
The date and time this rule record was last changed. The format of this field is MM/DD/YY, DD/MM/YY, or YY/MM/DD, based on CA ACF2 generation options.