Authorize SMP/E Command Or Service Routine in Top Secret After IBM APAR IO11698
search cancel

Authorize SMP/E Command Or Service Routine in Top Secret After IBM APAR IO11698

book

Article ID: 52471

calendar_today

Updated On:

Products

Top Secret

Issue/Introduction

After applying IBM maintenance, including APAR IO11698, all SMP commands like APPLY or LIST fail with following messages;

GIM20703S/T cmd PROCESSING FAILED.  THE COMMAND OR SERVICE 
   ROUTINE IS NOT PROTECTED BY A SECURITY MANAGER.
GIM20704S/T cmd PROCESSING FAILED.  THE SYSTEM AUTHORIZATION 
   FACILITY (SAF) WAS NOT ABLE TO DETERMINE WHETHER USER
   userid IS AUTHORIZED TO INVOKE THIS SMP/E COMMAND OR 
   SERVICE ROUTINE.  THE SAF RETURN CODE IS safrc.  THE 
   SECURITY MANAGER RETURN CODE IS racfrc.  THE SECURITY
   MANAGER REASON CODE IS racfrsn.

IO11698 introduces two PTFS that are adding Security Authorization Facility (SAF) checks to ensure only users that have sufficient access authority are allowed to invoke certain SMP/E functions. How do you authorize the SMP/E command or service routine in Top Secret?

Resolution

The security calls are all in the IBMFAC class and have the following resource name formats:

- GIM.CMD.command for the SMP/E commands, where "command" is the name of the current SMP/E command being attempted. For example:

 TSS PERMIT(acid) IBMFAC(GIM.CMD.APPLY) ACCESS(READ)

for the APPLY command.

- GIM.PGM.program for the GIMZIP, GIMUNZIP or GIMIAP service routines, where "program" is the name of the service routine being processed. For example:

TSS PERMIT(acid) IBMFAC(GIM.PGM.GIMZIP) ACCESS(READ)

for the GIMZIP command.

To secure the SMP/E commands, define them in Top Secret as a protected resource.

Example:

TSS ADD(owningacid) IBMFAC(GIM.)

It is recommended that you write PERMITs for each SMP/E function; however, if you prefer to allow everyone access to these resources, you can issue PERMIT commands similar to the following::

 TSS PERMIT(ALL) IBMFAC(GIM.PGM.) ACCESS(READ) 
 TSS PERMIT(ALL) IBMFAC(GIM.CMD.) ACCESS(READ)

To identify all users that need specific functions permitted, add the SMP/E resource to the AUDIT record. This will log all accesses for that SMP/E resources. This will enable writing of future PERMIT commands at a more granular level.

TSS ADD(AUDIT) IBMFAC(GIM.PGM.) 
TSS ADD(AUDIT) IBMFAC(GIM.CMD.)
Powered by Wolken Software