Access to the Top Secret Audit Tracking File in a TSSUTIL Report, in Mode FAIL, when the ACID assigned to the Job has a Permission for Mode WARN in the BATCH Facility?

Document ID : KB000024517
Last Modified Date : 14/02/2018
Show Technical Document Details

Issue:

I have added AUDIT to the Batch Job ACID, used for a TSSUTIL Report. This ACID is in 'BATCH MODE(WARN)'. If the TSSUTIL Batch Dataset, 'DD SMFIN', is the Dataset which the Stared Task CA Top Secret is using, in this case:

PROD.CAI.TSS.AUDIT

...the PERMISSION grants for this 'DD SMFIN' Dataset are in 'MODE(FAIL), FFM ="B F"', according to the Report TSSUTIL produces about itself:

=======================================================================================================
DATE       TIME        SYSI    ACCESSOR   JOBNAME   FFM  VC  PROGRAM  R-ACCESS    A-ACCESS    SRC/DRC  SEC          RESOURCE (TYPE & NAME)
====== ====== ==== =======  ======= === == ======= =======  =======  ======  ====== =================
15 09 09  13:11:52  RVM1  ACID1         JOB1          B       F   TSSUTIL     READ           ALL OK+A    OPN  D     MVSSYS1  PROD.CAI.TSS.AUDIT
=======================================================================================================

However, we've found that if the Audit Tracking File (ATF) is copied to another File, and TSSUTIL is run against that File, the check is done in the Mode PERMITT'd to the User, 'WARN':
=======================================================================================================
DATE       TIME        SYSI    ACCESSOR   JOBNAME   FFM  VC  PROGRAM  R-ACCESS    A-ACCESS    SRC/DRC  SEC          RESOURCE (TYPE & NAME)
====== ====== ==== =======  ======= === == ======= =======  =======  ======  ====== =================
15 09 09  13:20:15  RVM1  ACID1         JOB2          B       W  TSSUTIL      READ          ALL OK+A    OPN D      MVSSYS1  TEST.CAI.TSS.AUDIT
=======================================================================================================

Why, in the case of the ATF that's allocated to the CA Top Secret Task, is the check done in 'FAIL' Mode, in spite of the ACID having a PERMISSION for the Facility in 'WARN' Mode?

Resolution:

When accessing any CA Top Secret Files, i.e. the Security File, the Backup Security File, both the ATF and ATF2 Files and the Recovery File, MODE is always forced to 'FAIL' and an AUDIT Event will be forced.

 

Additional Information:

This is documented in the 'CA User Guide', chapter 9, in the Section titled 'Extend Default Protection'.