An ADSA application is using security classes attached to responses and resource type ACTI is secured in RHDCSRTT. Despite this, users who have not been granted the appropriate ACTIVITY are able to execute the response. It appears that ACTI security is not being enforced.

Release: All supported releases.
Component: ADS.

This will happen if AGR-CURRENT-RESPONSE is assigned in the ADS code as opposed to being specified by the user selecting the response from an ADSA generated menu.

This is documented at EXEC NEXT FUNCTION. Note the fifth bullet point after Usage : "If AGR-CURRENT-RESPONSE is modified by a process command, the runtime system does not perform security checking."

The solution to this unexpected behaviour is to enable optional bit 86 or 87 in RHDCOPTF.

Implementing Application Security