We are in the process of enabling additional CA1 security (inc YSVC). In the manual it says that YSVC security checks are not perform for real-time tape processing however we have seen calls to YSVCUNCD as shown below when the batch job is executing SORT.
ICH408I USER(xxxxxxxx) GROUP(ETWSUSER) NAME(TWS BATCH ID )
YSVCUNCD CL([email protected] )
WARNING: INSUFFICIENT AUTHORITY - TEMPORARY ACCESS ALLOWED
ACCESS INTENT(READ ) ACCESS ALLOWED(NONE )
We are in RACF WARN mode for this class at the moment and hence seeing the above. Why is the YSVC being called when the batch job is not executing a CA1 utility or is the manual incorrect?
Release : 14.0
Component : CA 1 Tape Management
give the target userid either YSVCUNCD or YSVCCOND READ access as outlined in the following KD article:
https://ca-broadcomcsm.wolkenservicedesk.com/wolken/esd/knowledgebase_search?articleId=27965
DFSORT and SyncSort access the TMC, thus requiring additional security permission(s) to be defined.
to resolve the issue
What is happening is because you are running RACF in WARN mode that when we do the check for YSVCUNCD it fails and we do this check with the NOLOG parm, but RACF is flagging that even though when we do the next check of YSVCCOND you have that.
All is well now.