Issue:

"I am able to do the DEF USER, DEF VIEW commands but my RACF Group does NOT have any access rights from a RACF perspective. I'm assuming I can do that because reading the manual it states if I am a user in the master directory I have authority. THIS SHOULD NOT HAPPEN. RACF should stop me from issuing the commands if my RACF group is not in the profiles needed for these commands (DEF USER, DEF VIEW, etc.). This tells me external security is NOT working."

Environment:

View 12.x

External Security rules

Cause:

External Security is working as expected.  When using an External Security set up, CA View checks the SARINIT MASTER parameter before it checks to see if there are security rules that allow the execution of the DEF VIEW, DEF USER command, etc. You can determine if a user has Master authority by executing the DEF USER command and reviewing the M column to see if there is a "Y".     

Resolution:

The SARINIT parameter MASTER has the highest priority, for executing the DSEF xxx commands, no matter what is defined in the SECURITY parameters. 

So in further detail, in the case of this environment, when the MASTER=RICRO02 
SECID=VIEWROX 
SECLIST=ALL 
SECTRAN=NO 
SECURITY=EXTERNAL 

this indicates that ONLY ricro02 is able to execute the DEF VIEW command and that even though SECURITY= EXTERNAL specified, it stops after the first check and no other calls are made. 

If you want the EXTERNAL Security package to determine who is able to issue the DEF VIEW command then you would need to specify SARINIT MASTER=ALL 
SECID=VIEWROX 
SECLIST=NONE 
SECTRAN=NO 
SECURITY=EXTERNAL 

this would then require the proper rules to be setup and used by the External Security package.

Additional Information:

As always, please contact CA Technologies support for CA View/Deliver if you have further questions.