'Re: CICS CEMT I PROG'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       racf-l
Subject:    Re: CICS CEMT I PROG
From:       "Robert S. Hansel (RSH)" <R.Hansel () RSHCONSULTING ! COM>
Date:       2008-03-28 10:07:55
Message-ID: NCBBLKNFEEPHCAAMOFKLGEENIOAA.R.Hansel () RSHConsulting ! com
[Download RAW message or body]

Bertito,

The violation is related to program access (PPT), not command security
(CMD). The SIT XPPT=$GENPPT parameter activates program protection using the
class pair M$GENPPT and N$GENPPT. The message indicates the violation was
related to M$GENPPT.

If the RESSEC parameter on a transaction is set to YES, CICS will check the
user's access authority to any resource (i.e., program) the transaction
attempts to access. If the transaction attempts to access a CICS resource
that is not RACF protected, CICS (not RACF) denies access to it. The
violation message shows the SAF and ESM return codes were both X'00000004'
which indicates undefined resource. This is why the problem disappeared when
you created an M$GENPPT profile or N$GENPPT grouping class profile member
covering program CMTCSDR1 and granted SPDEXTER access to it.

Regards, Bob

------------------------------------------------------------------------
Robert S. Hansel       | 2008 RACF Training (January - July)
Lead RACF Specialist   | > Intro & Basic Admin - Boston - APR 29 - MAY 1
RSH Consulting, Inc.   | > Audit for Results   - Boston - MAY 20-22
www.rshconsulting.com  |
617-969-8211           | Visit our website for registration & details
------------------------------------------------------------------------

-----Original Message-----
Date:    Thu, 27 Mar 2008 16:41:58 -0400
From:    Bertito Jaico <bjaico@UPS.COM>
Subject: CICS CEMT I PROG

Could someone please shed some clarity to this situation.

One of our CICS Systems Programmer sent me the following error message
after issuing the CEMT I PROG(CMTCSDR1) command:
DFHXS1111 03/26/2008 13:40:49 CTA6 CEMT Security violation by user
SPDEXTER at netname NVIGB001 for resource CMTCSDR1 in
           class M$GENPPT. SAF codes are (X'00000004',X'00000000'). ESM
codes are (X'00000004',X'00000000').
The SIT parameter are as follows:
        XCMD=NO
        XPPT=$GENPPT
        XTRAN=$HRXTRN

Why is the user failing access to do an inquiry to a program when
command security (XCMD=NO) is set to NO?
The user has access to the CEMT transaction (* READ) and should the
access checking stopped at CEMT?

There is no profile entry for the program CMTCSDR1 either in the
grouping/single entry classes (N$GENPPT/M$GENPPT).
But when I defined a profile for CMTCSDR1, the access error went away.

TIA,
Bertito Jaico
Information Security Services
bjaico@ups.com
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic