CA SYSVIEW is attempting to alter multiple CICS temporary storage structures

book

Article ID: 208432

calendar_today

Updated On:

Products

CA SYSVIEW Performance Management

Issue/Introduction

CA SYSVIEW appears to be attempting to alter CICS Temporary Storage coupling facility structures after reporting a CICS region is short on storage.

 

 

Cause

Looking at your SYSVIEW STC log...this error message can be seen multiple times:

ICH408I USER(CASYSVUS) GROUP(STC     ) NAME(CA-SYSVIEW USER STC ) 110
  IXLSTR.CUST_TSQ CL(FACILITY)
  INSUFFICIENT ACCESS AUTHORITY
  FROM IXLSTR.** (G)
  ACCESS INTENT(ALTER  )  ACCESS ALLOWED(NONE   )

Environment

Release : 15.0

Component : SYSVIEW

Resolution

In order to obtain information from CICS Temporary Storage Queues CA SYSVIEW uses the IBM IXLCONN macro to access some information. In certain cases, 'ALTER' access to the information . Security must been changed to allow access accordingly.

In order to obtain the information from CICS , ALTER access is required.

Since CA SYSVIEW is a CICS monitor it needs to be able to function in as many circumstances as possible, even when CICS itself may be experiencing problems. Therefore CA SYSVIEW cannot afford to use CICS interfaces such as CEMT or even EXEC CICS to obtain information. 

If CICS was experiencing trouble these services may not work or being hanging, etc. which would render CA SYSVIEW ineffective to help identify the problem. CA SYSVIEW obtains data directly, by looking at CICS control blocks, etc., which does not require any CICS services.

CA SYSVIEW needs to actually read this structure in order to display information about the queues that live there. The IBM service IXLCONN that CA SYSVIEW uses to connect to the structure appears to require ALTER access to the structure, even though CA SYSVIEW will only ever be reading from it and never writing to it. CA SYSVIEW is not providing any parameters to the IXLCONN macro that would cause ALTER access.

This is why this authorization is required in the security software:

Class         : FACILITY
Resource  : IXLSTR.cf_structure_name
Authority  : ALTER
Notes        : none

Additional Information

Security Requirements for the CA SYSVIEW Main Address Space

The following SAF authorizations are required to define a new log stream:
Class     : FACILITY
Resource  : MVSADMIN.LOGR
Authority : ALTER
Notes     : Needed to define a log stream related
                Coupling Facility structure.

Class     : FACILITY
Resource  : MVSADMIN.XCF.CFRM
Authority : ALTER
Notes     : none

Class     : FACILITY
Resource  : IXLSTR.cf_structure_name
Authority : ALTER
Notes     : none

Class     : LOGSTRM
Resource  : log.stream.name
Authority : ALTER
Notes     : Needed to define a log stream or
            alter its characteristics.