I'm trying to turn on external security for Datacom/AD database. I used the default SYSIN members rom CA7 PDS: CAL2OPTN(AL2MUFS1) & CAL2OPTN(AL2MUFS2)

The security team added the TSS (Top Secret) definitions and I started CA7MUFP and see the following message:

CA7MUFP:DB00270W - ACCESS TO DATACOM TABLES NOT PROTECTED BY EXTERNAL SECURITY

Release : 15.1

Causes of this issue may be a result of either:

• A problem with the .PASS "(ACTIVATE.LEVEL05.PASS)" and/or .FAIL "(ACTIVATE.LEVEL05.FAIL)" security settings.
• A cause of this issue is that the user running the job/STC has non-cancelable or special access privileges that override TSS resource rules.
• Not refreshing the SAF product and the Datacom Security settings

If the case does not deal with non cancelable privilege's or refreshing security, then more information is needed to diagnose the issue. Have the security administrator issue

1. List full listing of the MUF's user settings, showing all attributes and any special privileges.
2. The complete MUF log after the DIAGOPTION 5,4,ON is added to the MUF Startup Options and MUF is recycled.
3. The list of full resources showing the users and access levels:
   DCTABLE(CxxnameofMuf)  
   DTADMIN(CxxnameofMuf)  
   DTSYSTEM(CxxnameofMuf) 
   DTUTIL(CxxnameofMuf)   

From the diagnosis reports, it was revealed that the user was defined with WARN mode in Top secret (TSS). Because the user is in WARN mode, it is not denied access to the .FAIL resource, so Datacom External Security was not enabled. The user must be granted access to the .PASS resource, AND must also be denied access to the .FAIL resource.

The MUF log with the diagnosis option revealed the .FAIL resource was not met by the following message:
TSS7257W Unauthorized Access Level for DTSYSTEM <ACTIVATE.LEVEL05.FAIL>

The correction is to revoke the WARN mode for the user with command:
TSS REV(CA7MUF) MODE(WARN)

The caveat for revoking WARN mode is that since the MUF user was not denied access to anything because of the MODE(WARN) setting, by removing that privilege–assuming your facility and general settings are not also MODE(WARN)–there could be many other dataset or resource failures that you would not expect. It is recommended to review audit reports for this userid to see if other security changes need to be made before removing WARN from the user.