Access to JESSPOOL resource allowed even with PERMIT with ACCESS(NONE)
search cancel

Access to JESSPOOL resource allowed even with PERMIT with ACCESS(NONE)

book

Article ID: 280701

calendar_today

Updated On:

Products

Top Secret

Issue/Introduction

This article explains why access to a JESSPOOL resource is allowed even when the permit to the resource shows ACCESS(NONE)



Environment

Z/OS 2.5

Top Secret 16.0

 

An acid USERA has the following permit:

 

 TSS LIST(USERA) DATA(ALL,PROFILE)
....
....
 XA JESSPOOL= node1.USERB.             OWNER(owner)
    ACCESS  = NONE

 

With this permit the USERA should not be allowed to see the outputs of USERB however USERA can see the output of USERB.

Cause

A TRACE added to USERA shows the following access:



X TSS-C-0000*USERA     USERA     T JESSPOOL2028 G/0400000000,0000000000  
X TSS-1 400000000000 00000000   T/8000000411      node1.USERB.USERB111.Jxxxxxxx.D0000000.?


 

The Return code is TSS-C-0000 so access is allowed when it should be denied by the permit with ACCESS(NONE)

 

The important point is the T/8000000411

 

The ‘11’ in the T/8000000411 section of the trace means that RECVR allowed access

 

RECVR is a parameter of the RACROUTE macro that specifies the address of the user ID that has the authority to access the resource regardless of whether there is a resource profile to protect it.

Normally this RACVR is used when the user has access to the SDSF resources ISFOPER.DEST and ISFAUTH.DEST 

 

A list of the profiles attached to USERA showed the following permits in one of the profiles:



XA SDSF    = ISFOPER.DEST                                  OWNER(owner  )

   ACCESS  = READ


 XA SDSF    = ISFAUTH.DEST                                  OWNER(owner  )

   ACCESS  = READ

Resolution

Remove one of these permits from the profile and the access to the JESSPOOL resource will be honored with the ACCESS NONE and the access will fail.

Additional Information

Powered by Wolken Software