When there are no SURROGAT resources defined to CA Top Secret, even in FAIL mode, it is possible for CICS transactions to run with any acid.
The security trace shows RC=04, but SAF requires a return code of x'00' and not a x'04' to CICS, because CICS only understands x'00' or x'08' as SAF code.
x'00' for allowed access
x'08' for failed access
This is why access is allowed. To prevent this from happening, there are two options are available, see the Instructions: section below.
in order to prevent any SURROGAT access from undefined SURROGAT resources, choose one of the following options:
1) Define the following SURROGAT resource to CA Top Secret and permit it to the *ALL* record as shown below:
TSS ADD(dept) SURROGAT(*.DFHSTART)
TSS PER(ALL) SURROGAT(*.DFHSTART) ACTION(FAIL)
2) Add the DEFPROT attribute to the SURROGAT class in the RDT via:
TSS REP(RDT) RESCLASS(SURROGAT) ATTR(DEFPROT)
Release: TOPSEC00200-15-Top Secret-Security