Keyring not visible from SYSVIEW with the KEYRINGS command
book
Article ID: 366803
calendar_today
Updated On:
Products
SYSVIEW Performance Management
Issue/Introduction
ZAPIRING is a keyring and it is not visible from SYSVIEW when issuing the KEYRINGS command.
Environment
SYSVIEW 16.0 & 17.0 - z/OS supported releases -
Resolution
It is a security issue, the security requirements section in the KEYRINGS help should be reviewed:
Security Requirements:
When listing keyrings, there are two SAF authorization modes used to check access to a keyring: granular and global.
Granular authorization is always checked first and checks access to a specific keyring by locating a specific resource under the RDATALIB class. The following table details granular authorization:
+---------------------------------------------------------------------+ | Function | Authority required | +----------------------------------+----------------------------------+ | List a specific ring owned by a | READ authority to: | | specific user | <Ring owner>.<Ring name>.LST | +----------------------------------+----------------------------------+ | List all the rings owned by a | READ authority to: | | specific user | <Ring owner>.*.LST | +----------------------------------+----------------------------------+ | List all rings with a specific | READ authority to: | | name | *.<Ring name>.LST +----------------------------------+----------------------------------+ | List all rings | READ authority to: | | | *.*.LST | +---------------------------------------------------------------------+
When a matching resource is not found under the RDATALIB class, global authorization is used and checks access to keyrings under the FACILITY class. The following table details global authorization:
+---------------------------------------------------------------------+ | Function | Authority required | +----------------------------------+----------------------------------+ | List one's own rings | READ authority to: | | | IRR.DIGTCERT.LISTRING | +----------------------------------+----------------------------------+ | List someone else's rings | UPDATE authority to: | | | IRR.DIGTCERT.LISTRING | -----------------------------------------------------------------------
Adding the READ access to the resource: RDATALIB(ZWESVUSR.ZAPIRING.LST) resolved the problem.