At CICS startup CA DADS causes RACF security message ICH408I.

Document ID : KB000031629
Last Modified Date : 14/02/2018
Show Technical Document Details

Symptoms: 

 

During CICS PLT phase TWO startup program  DADSPI02 in one CICS region reports many RACF ICH408I access violations ACCESS INTENT(CONTROL).

Other CICS regions do not get these errors during startup and those regions do not have CONTROL access set up in RACF either.

The datasets open and close without error during the CICS region's life without errors and experience no further violations messages even though CONTROL access is not granted. This condition only happens during CICS startup.

The CA DADS Plus for CICS manuals do not indicate that CONTROL access is required. We are reluctant to grant CONTROL access to datasets that are supposed to be read only to avoid the violation messages.

 

 

Cause:

 

CA DADS Plus for CICS  was originally designed to verify VSAM files during PLT processing. To do this, DADS opens files using control interval access, then closes the file and later during PLT processing, opens the file according to the attributes specified in the RDO entry.

 

Resolution:

 

It is no longer necessary for CA DADS Plus for CICS to issue a verify for each file under its control at CICS startup time. 

If you don’t want to give the CICS region CONTROL access, you can change the GLOBAL option in the DADS control file to from VERIFY=YES to VERIFY=NO. This will negate the need for the region to have CONTROL access to files defined to DADS. 

I would look for differences between the two CICS regions and the DADS VERIFY= option. The DADS verify option can be set globally or on the file level. 

The GLOBAL verify option is contained in the DADS control file along with other parameters. To see these parameters enter DADC short cut transaction at a clear screen. What do you see for VERIFY ==> 

The option can be changed from this screen Press PF9, change the parameter and press PF9 to update the value. Batch utility DADBCNTL can also be used to update the control file. The CICS region must be down to update the control file using the batch utility. Or you can close the DADS01 FCT with CICS up. 
Sample JCL follows: 

//UPDATE 
EXEC PGM=DADBCNTL 
//STEPLIB DD DISP=SHR,DSN=your.dads.loadlib 
//DADS01 DD DISP=SHR,DSN=your.dads.control.file 
//SYSIN 
DD * 
UPDATE 
VERIFY=NO 
/* 

The verify option is explained in the Install guide. 


To check  to see if the verify option is on the file level you can use the DADM transaction at a clear screen 


C - CHANGE INFORMATION 
TYPE ===> F NAME ===> file001_ 

And you will see screen and option VSAM VERIFY AT START-UP ===> N 


APPLID A11IC4S5 CA-DADS/PLUS 4.0
FILE ALLOCATION DEFINITION CHANGE 


COMMAND ===> C 

TYPE ===> F NAME ===> FILE001 
DSORG => KSDS 
PRI-DSNAME ===> .FILE001.TEST DISP ==> SHR 
ALT-DSNAME ===> DISP ==> 
ALLOC/OPEN AT COLD START ===> Y Y OPEN AFTER ONLINE ALLOC ===> Y 

ALLOC/OPEN AT WARM START ===> A Y VSAM VERIFY AT START-UP ===> N 

ALLOC/OPEN AT EMER RESTART ===> A Y EFFECTIVE DATE(YYYY/DDD) ===> 0000/000 

 

 

Additional Information:

 

The CA DADS for CICS manuals can be found on the CA web site by Selecting the DOCUMENTATION tab.