We have discovered that a scoped Security logonid is receiving an ACF04017 error when using the RECKEY command to add a rule entry to an existing rule?

Document ID : KB000024379
Last Modified Date : 14/02/2018
Show Technical Document Details

Question:  

We have discovered that a scoped Security logonid is receiving an ACF04017 error when using the RECKEY command to add a rule entry to an existing rule?

 

Answer:  

The "ACF04017 NOT AUTHORIZED FOR REQUESTED FUNCTION" message can occur if a LOGONID with SECURITY and SCOPE does not have access to the Infostorage database record(resource rule) that the RECKEY command is attempting to update. The SCOPE INF field limits the Infostorage database records that the scoped logonid has access to.

If the rule that the RECKEY command is not within the SCOPE INF field associated with the logonid, the ACF04017 message will occur.

The RECKEY subcommand assists security administrators in maintaining rule sets and compiled infostorage rule records. This subcommand lets the user decompile, add or delete a rule entry, recompile, and store the updated rule set on one command.

Scope records limit a user's administrative authority over the ACF2 Logonid, Rule, and Infostorage databases. The SCOPE INF field specifies multiple one to 44-character entries that indicate the limits placed on the Infostorage database records that the scoped logonid can insert, alter, or delete and the resources that can be accessed through the SECURITY privilege. For Resource rules, the SCOPE INF field is used to limit a SECOPEd SECURITY logonid access to resource rules.

The SCOPE INF field for a Resource rule should specify the Storage class R for resource rules, the resource rule Type code (for example, FAC for FACILITY resource class rules) and the Resource record $KEY. If the SCOPE INF field does not account for the complete Storage class, Type code and Resource name of infostorage rule record that is being modified, then access will be denied. You can specify a single value or a list of values using the ACF2 masking characters asterisk (*) and dash (-).

For example:

USER001's logonid has the SECURITY privilege and a SCOPE(SCOPE1) record:

USER001                          USER001  USER ONE             $DEFAULT 
PRIVILEGES           SCPLIST(SCOPE1) SECURITY 
ACCESS               ACC-CNT(0) ACC-DATE(00/00/00) ACC-TIME(00:00) 
PASSWORD             KERB-VIO(0) KERBCURV() PSWD-DAT(00/00/00) PSWD-EXP 
PSWD-INV(0)          PSWD-TOD(03/09/09-15:46) PSWD-VIO(0) 
PSWDCVIO(0)          PWP-DATE(00/00/00) PWP-VIO(0)

. . . .

. . . .

The SCOPE record SCOPE1 is defined as:

?  list scope1 
ACF6A062 SCOPE SCOPE1 STORED BY ADMIN002  ON 03/09/09-14:23 
 INF(RFAC)

The following TEST resource rule will be used.

$KEY(TEST) TYPE(FAC) 
 UID(USER099) ALLOW 
 UID(USER101) ALLOW

If the following RECKEY is issued, access will be denied with the "ACF04017 NOT AUTHORIZED FOR REQUESTED FUNCTION" message because the SCOPE INF(RFAC) does not allow access to the infostorage rule $KEY TEST:

reckey test add( uid(USER025) allow)

A SCOPE record with field INF(RFACTEST) or INF(RFAC-) would need to be specified to allow access to the Storage class R, Type code FAC Resource record TEST.

Sample SCOPE INF fields for Resource Rules

SCOPE INF Field   Access Allowed
---------------   ----------------------------------------------
INF(RFAC-)        All TYPE(FAC) resource rules
INF(RFACT-)       ALL TYPE(FAC) resource rules that start with T
INF(RFACTEST)     The TYPE(FAC) TEST resource record

Details on the SCOPE record can be found in the CA-ACF2 Security for z/OS Administrator Guide, in Chapter 4: Maintaining Scope Records.