Permitted resource receiving TSS7250E 136

Document ID : KB000005323
Last Modified Date : 14/02/2018
Show Technical Document Details
Issue:

A user that has a permit for a resource is receiving TSS7250E 136, no permit for resource, access denied.
When running TSSSIM the permit is found and the user is granted access.

Resolution:

Check the facility to see if the NORES or RES facility control option is set.  If NORES is set, this needs to be changed to RES so rules for prefixed resources get loaded into the security record for the user.

RES provides for the interpretation and recognition of maskable resources within the facility.  Some examples of maskable resource classes are DATASET, JESSPOOL, DB2DBASE and DB2COLL.  Without RES on the facility, security checks against these resource classes will fail.  To identify a maskable resource class, see the commands documentation.

NORES on a FACILITY means permits for maskable resources will not be loaded into the user's security record when the user signs on.  This would mean that the user is not authorized even though the user has a PERMIT for the maskable resource because the permission was never loaded in storage.

NORES was used to conserve storage in the olden days. RES means that all permissions are loaded into storage.  Since the user record is now loaded in 31 bit high private, there are no longer storage concerns when specifying RES on a facility.

TSSSIM finds the correct permit because it is not actually logging into the facility and creating a security record as defined by the facililty RES/NORES Control Option.

Additional Information:

Information on the Facility Control Options can be found at the following link:

https://docops.ca.com/ca-top-secret-for-z-os/16-0/en/using/specifying-control-options-to-modify-your-security-environment/facilitycontrol-system-facility-processing