The TEST subcommand lets you to interactively test a diagnose limiting rule set. Testing ensures the diagnose limiting rule set provides the intended validation of attempts to issue the diagnose instruction. When the TEST subcommand is active, CA ACF2 for z/ VM only interprets diagnose limiting rules. Testing does not take into account any site-specific system options or attributes of the logonids being tested.
Listed below is the syntax of the TEST subcommand under the MODEL setting.
TEST { * }
{ DIAGnnnn }
Indicates you want to test the previously compiled diagnose limiting rule set.
Operates the same as when you specify an asterisk.
Identifies the key of the diagnose limiting rule set being tested. nnnn is the four-character hexadecimal code for the diagnose instruction.
After you have issued the TEST subcommand, a period (.) indicates it is active. You can enter any of the following keywords with appropriate values to a test access environment. You must separate each keyword with blank characters. You can specify one or more input lines.
Identifies the user to be tested for execution of a diagnose instruction. To specify this keyword, you do not need access to the tested user's logon ID record. If you specify both the LID and UID keywords, CA ACF2 for z/ VM uses the last LID or UID value specified. For example, if LID(TLCJJD) and UID(TLCNLT) are specified, CA ACF2 for z/ VM uses only UID(TLCNLT).
Specifies the logon ID of the user to be tested for execution of a diagnose instruction. Like UID, you can mask the value of LID. To specify this keyword, you do not need access to the corresponding logon ID record. If you specify both LID and UID, CA ACF2 for z/ VM uses the last LID or UID value specified (just like UID above).
Specifies the date to be tested. This date must be in the format mm/dd/yy, dd/mm/yy, or yy/mm/dd, as specified in the OPTS VMO record. The current date is assumed as a default. For more information about the OPTS VMO record, see the chapter “Defining Structured Infostorage Records” in the Administrator Guide.
Specifies the time when execution of a diagnose instruction is tested for. This time is specified in hours and minutes (four digits).
Specifies the logical name of the input source or source group.
After you compile a diagnose limiting rule set, you can issue the TEST subcommand to test the rule set.
DIAGLIM compile ACFpgm510I CA-ACF2 compiler entered $key(diag0006) uid(tlcopr) allow uid(tlctec) log ACFpgm551I Total record length=194 bytes - 4 percent utilized DIAGLIM test * DIAG=DIAG0006, MDLTYPE=H50 .
The TEST subcommand is active, as indicated by the period (.). You can enter any of the TEST subcommand keywords to specify the environment you want to test.
The UID keyword, for example, tests whether a diagnose limiting rule set allows a certain user to issue a diagnose instruction. Here, we are testing the previously compiled diagnose rule set for code X'0006' to see if user TLCNLT can issue the diagnose.
DIAGLIM test * DIAG=DIAG0006, MDLTYPE=H50 . UID(TLCNLT) The following parameters are in effect: Date=11/08/00, time=*****, UID=TLCNLT, source=******** Diagnose=DIAG0006 The following would apply: LOG (relative rule entry 2)
The system displays all of the current values of the environment being tested. At the bottom of the display is a message that indicates if execution of the diagnose instruction is allowed, logged, or prevented. From the previously compiled rule set, TLCNLT is allowed to execute the diagnose code X'0006', but CA ACF2 for z/ VM writes an SMF record to log the event.
After a result is displayed, you can make another entry of keywords to test another rule set environment. But remember, after you enter TEST command keywords, the values you specify remain in effect until you explicitly change them. Furthermore, as shown in the previous example, almost all values you do not specify are assumed to be completely masked, by default. The values for the DATE keyword and the DIAGNOSE value are the only exceptions. If you specify no UID keyword, the TEST subcommand tests all UIDs.
To terminate the TEST subcommand, enter END.
The results of the TEST subcommand show if execution of the diagnose instruction is allowed, logged, or prevented.
Access is allowed
Access is allowed but logged
Access is explicitly prevented.
If no rule entry specifically applies to the test access environment, CA ACF2 for z/ VM displays the following message:
ACFpgm74CI No rule applies, access would be denied
|
Copyright © 2013 CA Technologies.
All rights reserved.
|
|