Receiving a Security Violation On Maskable Resource Even Though User Is Permitted.

book

Article ID: 52783

calendar_today

Updated On:

Products

CA Cleanup CA Datacom - DB CA Datacom CA Datacom - AD CA Datacom - Server CA CIS CA Common Services for z/OS CA 90s Services CA Database Management Solutions for DB2 for z/OS CA Common Product Services Component CA Common Services CA Datacom/AD CA ecoMeter Server Component FOC CA Easytrieve Report Generator for Common Services CA Infocai Maintenance CA IPC Unicenter CA-JCLCheck Common Component CA Mainframe VM Product Manager CA Chorus Software Manager CA On Demand Portal CA Service Desk Manager - Unified Self Service CA PAM Client for Linux for zSeries CA Mainframe Connector for Linux on System z CA Graphical Management Interface CA Web Administrator for Top Secret CA CA- Xpertware CA Top Secret CA Top Secret - LDAP CA Top Secret - VSE

Issue/Introduction

Question:

A package failed and the programs in it had invalid binds. It was missed and when a plan was run, rather than getting a DB2 error, the problem manifested itself as an access violation to the tables being accessed. The ACID that got the violation was the PLAN OWNER.

Answer:

Check the DB2 facility to see if the NORES or RES facility control option is set. If NORES is set, this needs to be changed to RES so rules for prefixed resources get loaded into the security record for the user.

NORES on a FACILITY means permits for maskable resources will not be loaded into the user's security record when the user signs on. This would mean that the user is not authorized even though the user has a PERMIT for the maskable resource because the permission was never loaded in storage.

NORES was used to conserve storage in the olden days. RES means that all permissions are loaded into storage. Since the user record is now loaded in 31 bit hight private, there are no longer storage concerns when specifying RES on a facility.

When changing from NORES to RES on a FACILITY, a recycle of the region is required to pick up the change.

Additional Information:

Please see the CA Top Secret Control Options Guide for more details about the FACILITY control option RES/NORES.

Environment

Release: TOPSEC00200-15-Top Secret-Security
Component: