RACF errors doing GDG capture

book

Article ID: 194775

calendar_today

Updated On:

Products

CA Vantage Storage Resource Manager CA Graphical Management Interface

Issue/Introduction

While creating a capture of GDG information using object Catalog Management -> GDG Data Sets Info - CSI different results occurs. 

On our non-production system, the capture runs fine. 
However, on production, while it runs, it generates several RACF messages.
These are ICH408I messages noting access allowed (NONE) while requesting access (READ).  The RACF team alerted us that it appeared Vantage was trying to read the RACF data base. 
Since this is just collecting data set information, why is Vantage requesting read access?  Trying adding the datasets to the filter to exclude them, but the messages are still generated. 

GOA Script to capture GDG Data Sets information:

<GENERAL>
EVENT_TYPE=GOA
TITLE=GDG Base List
SYSID=HSYS
DESCRIPTION1=Capture a list of PROD Base Entries
SIMULATE=N
ENABLED=Y
LOAD_SCRIPT=Y
STARTTIME=0000
ENDTIME=2400
PERFORM_EVT_PROC=ON_DAY=ALL,AT_TIME=0815
<EVENT_PROCEDURE>
SELECT_OBJ=OBJ02016
INPUT_LIST_SET=/
SET_REALTIME
SET_FILTER=RECETYPC INCL B AND RECENTNM EXCL MCATICF./, IBMUSER./, IIN
/, LYDIAB./, MDLDSCB./, MVSS.SUPPORT/, PETEH./, RONNIES./, SYS1./, SYS2
.EMERG/, CATALOG./, PAY/
EXECUTE
SET_CAPTURE_DSN=XYZ.VANTAG.GDG.BASE.LIST
CAPTURE_DATA
 

A sample of the ICH408I error messages that are generated: 

ICH408I USER(DASD    ) GROUP(MYTASK) NAME(CA-VANTAGE SAMS STC ) 
  XYZ.RECOVR CL(DATASET ) VOL(RECOVR)                         
  INSUFFICIENT ACCESS AUTHORITY                                   
  FROM MCATICF.*.** (G)                                           
  ACCESS INTENT(READ   )  ACCESS ALLOWED(NONE   )   

Cause

The ICH408I error messages are not produced directly by Vantage, but by the IBM IGGCSI00 component used by Vantage. 

This component provides the Catalog Search Interface (CSI) used by Vantage (for further details on this IBM facility, see:  https://www.ibm.com/support/knowledgecenter/SSLTBW_2.2.0/com.ibm.zos.v2r2.idac100/hcatser.htm ). 
The ICH408I messages are a side effect of calling the CSI (Catalog Search Interface).  This side effect is most likely to occur when the input list wildcards do not specifically specify a high level qualifier, resulting in the entire catalog being searched. 
For example:
“INPUT_LIST_SET = /”
“INPUT_LIST_SET = *.XYZ” 

(Note:  Similar security messages can be generated when entering such wildcard patterns/strings when using the ISPF panels 'Data Set List' utility.  Also, attempting to use a Vantage filter in the Vantage script will not bypass this issue because the filter is not applied until after the records have been returned from the catalog).  

 

 

 

Environment

Release : 14.0

Component : CA Vantage Storage Resource Manager

Resolution

To avoid having these ICH408I messages being generated, it is recommend that the Input List be specified such that a specific high level qualifier is always used, along with any trailing wildcard characters.  If this is not acceptable, then these error messages can be ignored (or else IBM can be contacted for further resolution).  

Additional Information

It is recommended that users install Vantage PTF SO13736 which enhances or addresses various items involving CSI processing.