CICS regions do not seem to be using the CICS Transaction groups for access validation in ACF2.
search cancel

CICS regions do not seem to be using the CICS Transaction groups for access validation in ACF2.

book

Article ID: 262074

calendar_today

Updated On:

Products

ACF2 - z/OS ACF2 - MISC ACF2 ACF2 for zVM ACF2 - VSE

Issue/Introduction

Development and Test CICS regions do not seem to be using  the CICS transaction groups for access validation.

For example:

This region is not using transaction groups

RCKD-CEMT                                        TRC  RCKD-CEMT                 
                         XXXXX       E066     SYSX ACFAERUL NO-RULE     -     DIRECTRY      
23.073 14/03 14.11    CICSXX  XXXXX    ISI: USERID NAME            0   0  20   0  16
                                                                                
RESOURCE NAME: CEMT                                                             

and this region is

RCKZ-CEMT                                        TRC  RCKZ-C#CICS_OPS           
                          XXXXX       E066     SYSX ACFAERUL RULE        -     DIRECTRY      
23.073 14/03 13.16    CICSYY  XXXXX    ISI: USERID NAME        0   0   0   0   0
                                                                                
RESOURCE NAME: CEMT                                                             

Environment

Release : 16.0

Resolution

The difference between the two CICS regions is that the region that is using type CKD has a rule for $KEY(CEMT).
The region using CKZ does not have a rule for CEMT.

Resource grouping will only work if there is no rule with the specific keys being requested.
The violation shows that there is a rule with $KEY(CEMT) - see NO-RULE in the logging.

RCKD-CEMT                                        TRC  RCKD-CEMT                 
                          XXXXX       E066     SYSX ACFAERUL NO-RULE     -     DIRECTRY      
23.073 14/03 14.11    CICSXX  XXXXX    ISI: CON VASILIKAKIS   0   0  20   0  16

RESOURCE NAME: CEMT    

NO-RULE means there is a ruleset with the key but there is no rule line that matches the environment.