TSS7257E Security violation for CECI QUERY SECURITY command

book

Article ID: 198650

calendar_today

Updated On:

Products

CA Top Secret CA Top Secret - LDAP CA Web Administrator for Top Secret

Issue/Introduction

Issuing a:

CECI QUERY SECURITY RESTYPE('TRANSATTACH') RESID('CEMT')

The following message briefly appears on the screen:

TSS7257E Unauthorized Access Level for OTRAN <CEMT>

The message goes away and then the output of the QUERY command is displayed successfully.

If the command is issued multiple times, it suspends the users userid but a violation report shows no violations occurred. 

If the NOLOG option is added to the command, the issue does not occur. 

Environment

Release : 16.0

Component : CA Top Secret for z/OS

Resolution

Reviewed a  Top Secret DIAGTRAP dump for the security violation.

'CECI QUERY SECURITY RESTYPE('TRANSATTACH') RESID('CEMT')'.

4 security calls for ACCESS READ, UPDATE, CONTROL and UPDATE are made for the CECI QUERY.

If user is only authorized to OTRAN(CEMT) with ACCESS(READ), then the other 3 security calls will receive the
TSS7257E security violation message and the response will be:

QUERY SECURITY RESTYPE('TRANSATTACH') RESID('CEMT')
STATUS: COMMAND EXECUTION COMPLETE NAME=
EXEC CICS Query Security
( RESType( 'TRANSATTACH ' ) | RESClass() RESIDLength() )
RESID( 'CEMT ' ... )
< LOGMessage() | LOG | Nolog >
< REAd( +0000000035 ) > <- READABLE
< Update( +0000000038 ) > <- NOT UPDATEBLE
< Control( +0000000057 ) > <- NOT CTRLABLE
< Alter( +0000000053 ) > <- NOT ALTERABLE

RESPONSE: NORMAL EIBRESP=+0000000000 EIBRESP2=+0000000000

Product is working as designed.

Specifying NOLOG on the CECI QUERY SECURITY will suppress the TSS7257E message and the correct response codes will be received from CICS.