I'm trying to turn on external security for Datacom/AD database. I used the default SYSIN members rom CA7 PDS: CAL2OPTN(AL2MUFS1) & CAL2OPTN(AL2MUFS2)
The security team added the TSS (Top Secret) definitions and I started CA7MUFP and see the following message:
CA7MUFP:DB00270W - ACCESS TO DATACOM TABLES NOT PROTECTED BY EXTERNAL SECURITY
Release : 15.1
Causes of this issue may be a result of either:
If the case does not deal with non cancelable privilege's or refreshing security, then more information is needed to diagnose the issue. Have the security administrator issue
From the diagnosis reports, it was revealed that the user was defined with WARN mode in Top secret (TSS). Because the user is in WARN mode, it is not denied access to the .FAIL resource, so Datacom External Security was not enabled. The user must be granted access to the .PASS resource, AND must also be denied access to the .FAIL resource.
The MUF log with the diagnosis option revealed the .FAIL resource was not met by the following message:
TSS7257W Unauthorized Access Level for DTSYSTEM <ACTIVATE.LEVEL05.FAIL>
The correction is to revoke the WARN mode for the user with command:
TSS REV(CA7MUF) MODE(WARN)
The caveat for revoking WARN mode is that since the MUF user was not denied access to anything because of the MODE(WARN) setting, by removing that privilege–assuming your facility and general settings are not also MODE(WARN)–there could be many other dataset or resource failures that you would not expect. It is recommended to review audit reports for this userid to see if other security changes need to be made before removing WARN from the user.