Why There Is No Violation Against The CICS Region Acid When Accessing Application Dataset?
search cancel

Why There Is No Violation Against The CICS Region Acid When Accessing Application Dataset?

book

Article ID: 12029

calendar_today

Updated On:

Products

Top Secret Top Secret - LDAP

Issue/Introduction

 

The CICS region acid doesn't have NODSNCHK, NOVOLCHK bypasses. It is authorized to access to the needed dataset to have the CICS region to start.

Referring to the official IBM documentation: 

http://www.ibm.com/support/knowledgecenter/SSGMCP_5.2.0/com.ibm.cics.ts.doc/dfht5/topics/dfht533.html 

"Authorizing access to user data sets Version 5.2.0 

When you have defined the RACF user ids for your CICS regions and given them access to the CICS system data sets, permit the user IDs to access the CICS application data sets with the necessary authority."


It means the CICS region acid does not only need the permissions to access the system datases but also need access to the application datasets.

Or the other way round: An access to an application dataset, which is not permitted to the region acid, should be denied. 

When setting a SECTRACE, it shows that a security call is issued but it is made with LOG=NONE. It why the violation is not logged.

There is no CA Top secret or CICS security parms reason why it should happen. 



 

Why There Is No Violation Against The CICS Region Acid When Accessing Application Dataset?

Environment

z/OS

Resolution

 

Removed from PGMNAME(DFHSIP) in the PPT of z/OS, SYS1.PARMLIB (SCHEDxx) the option "NOPASS".

"PASS" is the default.

 

When NOPASS is removed and PASS is in effect, then the security call against those dataset are made without LOG=NONE making the violation to be logged.

Additional Information

 

You can review the SCHEDxx parameter from IBM link for z/OS2.1 used as example.

 

http://www.ibm.com/support/knowledgecenter/SSLTBW_2.1.0/com.ibm.zos.v2r1.ieae200/ieae200540.htm

 

 

Powered by Wolken Software