With CA 1 option OCEOV set to YES, CA 1 should check for CLASS DATASET at OPEN.
Is there an easy way to verify if these security calls from CA 1 are performed?
Depending on the external security Product traces might be used to verify the security checks from CA 1.
Another possibility is to run a Tape Job against a Data set for which the user does not have sufficient access.
If the security check was performed from CA 1 because of OCEOV YES, this results in the violation messages from
the external security product and CA 1 messages CAL0C0SF and IEFTMS50 9XX-nn.
For example User userxxx tried to create Tape Data Set DATA.SET.NOACCESS with Top Secret as external Security:
TSS7220E 102 J=JOBXXXX A=USERXXX VOL=S00016 ACC=UPDATE DSN=DATA.SET.NOACCESS
TSS7227E UPDATE Access Not Granted to Dataset DATA.SET.NOACCESS
CAL0C0SF 08 102 USERXXX /TESTFILE/xxxxxxx. TSS7227E UPDATE Access Not Granted to Dataset DATA.SET.NOACCESS
IEFTMS50 9XX- 04 JOBXXXX,STEPXXX ,DDXXX ,0E57,S00016,00001,DATA.SET.NOACCESS
IEFTMS50 ***** CA 1 ABEND,F1,04 ***** **
For details on IEFTMS50 9xx Messages see:
9xx-rc SECURITY VIOLATION