The ACFRPTDS report includes PDS member names for batch jobs. How can the ACF2 ACFRPTDS report be run to log access to a specific PDS member that is accessed through ISPF?

Document ID : KB000023927
Last Modified Date : 14/02/2018
Show Technical Document Details

Question:  

The ACFRPTDS report includes PDS member names for batch jobs. How can the ACF2 ACFRPTDS report be run to log access to a specific PDS member that is accessed through ISPF?

Answer: 

ACF2 PDS member level protection provides member level security for both batch and ISPF PDS accesses that can be reported on by the ACFRPTRV report.

IEBCOPY from ISPF 3.3 or batch will not cause an SMF record to be cut with the member name. The member name will only be picked up when dsn(member) is specified explicitly in the JCL, for example:

//MYDD DD DISP=SHR,DSN=SAMPLE.LOAD(PRGM1)

If a site utilizes ACF2 PDS member level protection all accesses to the PDS member name can be tracked.

For example member access to the SYS1.PROCLIB PDS can be tracked (logged) as follows.

Compile and store a rule to log all access to SYS1.PROCLIB secured under resource TYPE(PDS):

$KEY(********) TYPE(PDS)
UID(-) LOG

Add the TYPE(PDS) to the GSO INFODIR and issue the REFRESH and REBUILD commands:

ACF
SET CONTROL(GSO)
CHANGE INFODIR TYPES(RRPDS) ADD
F ACF2,REFRESH(INFODIR)
F ACF2,REBUILD(PDS)

Turn on PDS member level protection for SYS1.PROCLIB:

ACF
SET CONTROL(GSO)
INSERT PDS.proc1 LIBRARY(SYS1.PROCLIB) RSRCTYPE(PDS)
F ACF2,REFRESH(PDS)

Sample ACFRPTRV report showing access to member "MEMBER" in SYS1.PROCLIB by USER001:

RPDS-MEMBER LOG RPDS-********
     USER001 Z99LO999 SYS1 ACF9CFAT RULE - DIRECTRY READ
09.335 12/01 14.13 USER001 USER001 TEST USER 0 0 4 0 4
SAF RESOURCE CLASS PDS

RESOURCE NAME: MEMBER

Details on PDS member level protection can be found in "Appendix D: Implementing Member-Level Protection)" in the CA ACF2 for z/OS Administrator Guide.