ESP Security errors after applying PTF LU11648
Article ID: 398388
Updated On:
Products
Issue/Introduction
We got ESP security errors after applying PTF LU11648, like below:
User AAAAAA denied access to User ID bb\ccccccccccc in Appl XXXXXX Job YYYYYYY
Environment
Component: ESP Workload Automation
Release: 12.0
Cause
As the explanation provided in the PTF:
***************************
* PUBLICATION *
***************************
The ESP Workload Automation core currently truncates all the resource
names that are examined in authorization calls to the maximum security
class length, which means that the users cannot use some of the
security profiles that ESP examines to determine access rights. The
truncation is done by the security facility call itself, not by ESP
directly.
The only solution to this is to switch to a new security class,
preferably the IBM-recommended XFACILIT.
However, another legacy limitation of ESP is not allowing the use of
security classes with maximum length exceeding 128 characters.
This fix removes this length limitation. However, due to technical
reasons, the fix also removes the resource name truncation. This can
lead to security violations, especially for RACF users, since RACF
considers a resource name exceeding the security class limit to be a
serious security violation and abends with 282-054.
To preserve compatibility with the previous behavior while the user is
transitioning to the XFACILIT class, ESP introduces a new USERMOD 202,
which forces ESP to truncate the resource names before performing the
security calls.
Consider turning USERMOD 202 ON after installing this PTF and turning
the USERMOD OFF after migrating your security definitions to the
XFACILIT security class.
Resolution
There are two possible solutions:
#1 Turning USERMOD 202 ON after installing this PTF without using XFACILIT security class;
#2 After migrating to XFACILIT security class, turning off USERMOD 202.
Feedback
