Why am I getting so many loggings for MVS.SEND resources when the rule says ALLOW?

Document ID : KB000054820
Last Modified Date : 14/02/2018
Show Technical Document Details


I am getting many resource loggings in the ACFRPTRV report for resource MVS.SEND. Here is the logging:

ROPR-MVS.SEND                                    LOG  ROPR-********           
yy.ddd mm/dd hh.mm JES2     JES2     JES2 STC               0   0   4   0   4 
SAF RESOURCE CLASS OPERCMDS                                                   

I am using extended resource rules for the OPR type code

*RESOURCE RULE ******** STORED BY SECURITY ON mm/dd/yy-hh:mm        
$KEY(********) TYPE(OPR)                                                                   
 - UID(*) LOG                                                     
*RESOURCE RULE MVS STORED BY SECURITY ON mm/dd/yy-hh:mm             
$KEY(MVS) TYPE(OPR)                                               
 ACTIVATE.- UID(****************SYS) ALLOW                        
 CONTROL.- UID(****************SYS) ALLOW                     
 DISPLAY.- UID(****************OPR) ALLOW                         
 DISPLAY.- UID(****************OPS) ALLOW                         
 DISPLAY.- UID(****************SYS) ALLOW                                       
 DISPLAY.- UID(*) LOG                                                          
 MODIFY.STC.- UID(****************SYS) ALLOW                      
 MODIFY.STC.- UID(****************OPS) ALLOW
 REPLY UID(****************OPS) ALLOW           
 START.STC.DMSAR.- UID(*) ALLOW                 
 START.STC.- UID(****************OPS) ALLOW     
 STOP.- UID(****************OPS) ALLOW          
 STOPMN UID(****************OPS) ALLOW          
 SWITCH.SMF UID(****************OPS) ALLOW   
 VARY.DEV UID(****************OPS) ALLOW
 VARY.DEV UID(****************SYS) ALLOW                                           
 WRITELOG UID(****************OPS) ALLOW        
 - UID(*) LOG

As you can see from the rules, the JES2 address space has ALLOW for the SEND rule line in the $KEY(MVS) ruleset. But I still get loggings. Why?


CA ACF2 will first look for a resource rule that matches the COMPLETE resource request in the $KEY. So CA ACF2 looked for $KEY(MVS.SEND). Since that was not found, CA ACF2 will then look for a masked $KEY that matches the resource. In this case, that was found with $KEY(********). That was verified by the logging report that shows the "lookup key", that being ROPR-********. If the resource name was longer then 8 characters, CA ACF2 would not have found a direct match in the $KEY and would have then looked for a key that matches the high level qualifier of the resource i.e. $KEY(MVS). The rule line that you have in $KEY(MVS) .. UID(SOFT0756SS******JES2) ALLOW will never be looked at because you have a $KEYthat matches the complete resource name.

In this case, resource MVS.SEND is very short, only 8 characters in length. Therefore it will be matched against the $KEY(********) resource ruleset.

So, the resolution for this particular problem is a rule like this:

 $KEY(MVS.SEND) TYPE(OPR)                                                         

Since you already have a masked rule in use, the type code is resident so a REBUILD must be issued.

At a console, enter: F ACF2,REBUILD(OPR)