I just activated the CA Symdump CICS external security feature. When I attempt to use one of the secured options I receive message CAIN3323 restricted option but I do not see any security messages in the CICS log. Why?

Document ID : KB000126349
Last Modified Date : 07/02/2019
Show Technical Document Details
Question:
The client configured the Symdump CICS external security option EXTSEC=Y to prevent user from using certain administrator options of Symdump CICS. When a user  selects one of the secured options they receive message CAIN3323 restricted option entered. The user does not see any Top Secret violation message is the CICS LOG. The client would like to see security violation messages in the CICS Log so they can monitor the Symdump CICS activity. Why do I not see any security messages?
 
Environment:
Z/OS 
CICS
Answer:
The current design of Symdump CICS does not write any security messages to the CICS log when the external security option is turned on.
 
When you turn on  the Symdump CICS external security feature parameter EXTSEC=Y in module IN25OPTS the Symdump CICS CODE issues an EXEC CICS QUERY SECURITY command to see if the user is allowed to use that Symdump CICS option.
 
On the QUERY SECURITY command they have specified parameter LOGMESSAGE(NOLOG) so no security messages are written to the CICS log MSGUSR.
 
Below is an example of the CICS Query Security command specifying NOLOG on the LOGMESSAGE parameter.
 
MVC   QUERYSEC_LOGMESSAGE_CVDA,DFHVALUE(NOLOG)        
 
EXEC  CICS QUERY SECURITY                                  
      RESCLASS(CA@NTSYM_RESCLASS),                       
      RESID(0(R6)),     
      RESIDLENGTH(QUERYSEC_RESLEN),     
      LOGMESSAGE(QUERYSEC_LOGMESSAGE_CVDA),       
      READ(QUERYSEC_READ_CVDA),  
      UPDATE(QUERYSEC_UPDATE_CVDA),   
      CONTROL(QUERYSEC_CONTROL_CVDA),        
      ALTER(QUERYSEC_ALTER_CVDA),            
      NOHANDLE 
  
Since we have clients that use the external security we cannot turn on messages in mid release and change the behavior of the product.  If messages are generated then we need the ability to suppress these messages for clients who do not want to flood the CICS log with messages.  A parameter would need to be added to the product to generate or suppress these messages. An enhancement request would have to be requested.