Cannot get external security for SYSVIEW
search cancel

Cannot get external security for SYSVIEW

book

Article ID: 232339

calendar_today

Updated On:

Products

SYSVIEW Performance Management Top Secret

Issue/Introduction

The goal is to restrict any access at all to loading SYSVIEW unless you are on a certain access list (this list will be about 10 users). 

In other words, if the command to start SYSVIEW within the mainframe is entered, an error will occur if you are not on the short access list.

The DSN that provides the access permission is: SYSP.CEAPM.SYSVIEW.CNM4BISP 

However, trying to permit all with access(none), the DWP622 acid still is having access to SYSVIEW.


Environment

SYSVIEW 15.0 & 16.0 & 17.0 - z/OS supported releases - 

 

Resolution

Analyzing the SECTRACE, here are the results: 

TSS-C-0000*DWP622   DWP622   T DATASET 2088 G/004E010400,0220200000 L/700002 F//0000320,000100,0021,000040
TSS-1 40001000FFFF 00000000   T/8000090C01 SYH136 SYSP.CEAPM.SYSVIEW.CNM4BISP
TSS-2 130600 R/128880 S/400980,088028004000   TI1UF063 A/190080 P/ISPF    ,B512,ISPMAIN ,IKJEFT09 F/80C00600
TSS-4 02000000 009FC740 7F79F4A0  REQ/         SUB/

We can see that the DWP622 acid is trying to access to the SYSP.CEAPM.SYSVIEW.CNM4BISP dataset on the SYH136 volume. 

The requested access level is: 4000  ==> read 
but the Allowed Access Level For Data Set is : FFFF ==> ALL for the DWP622 acid. 

This is why the DWP622 userid can access this dataset. If you look at Top Secret documentation: 

TSS-x-rcdr*acid init f c[lass] mmrr G/swr1r2dhvh,pfdovoaa   L/l1l2ee  F/f1f2f3f4,c1c2c3,aabb,iijjkk
TSS-C-0000*DWP622   DWP622   T DATASET 2088 G/004E010400,0220200000 L/7000

sw=00 ==> access allowed

r1= 4E RELATIVE RULE that allowed or denied data set access (first rule is 01, second rule is 02, and so on.)
This means that the 78 rule (X 'E4'), gives the authorization to the DWP622 acid. 

f1= PROFILE 1-254 : 02 
This means that the second profile of this acid gives him the authorization to this dataset. 


TSS-2 130600 R/128880 S/400980,088028004000   TI1UF063 A/190080 P/ISPF    ,B512,ISPMAIN ,IKJEFT09 F/80C00600

We can see in this line, that you are running with the algorithm: 
40 = merge/all merge 

80 is for Merge, Allover.  

merge/all merge means that there is only ONE record with all profiles. 
Top Secret is researching the best match, takes the first one that he finds and doesn't look in the ALL record. 

This is why the NONE access is NOT taken into account for the DWP622 acid for theSYSP.CEAPM.SYSVIEW.CNM4BISP dataset 

but it is taken the rule for your acid DWP622 (access ALL). 
 
Powered by Wolken Software