The CICS region won't start and message "ACF04056 ACCESS TO RESOURCE TCICDT06.DFHINSTL TYPE RSUR BY CICST10 NOT AUTHORIZED" is written to the JESMSGLG, what causes this error?

Document ID : KB000014940
Last Modified Date : 14/02/2018
Show Technical Document Details
Question:

The CICS region won't start and message "ACF04056 ACCESS TO RESOURCE TCICDT06.DFHINSTL TYPE RSUR BY CICST10 NOT AUTHORIZED" is written to the JESMSGLG, what causes this error?

Answer:

The CICS/CTS violations for DFHINSTL can be addressed by either coding RSUR rules or turning the ACF2/CICS ACF2PARM INITIAL XUSER=YES|NO to NO. The default value for XUSER is YES so it could be that for previously you were picking up a value of XUSER=NO. 

Details on the CF2PARM INITIAL XUSER=YES|NO can be found in section "INITIAL-CICS Interface Startup Parameter" .

Details on these validations can be found in the AC2 Documentation in section "Performing Security Checks for Surrogate Userids".

The following are excerpts from the above links. 

In other environments (like CICS), the address space might need access to various logonids it uses without passwords. The resource constructed for this validation could be: userid.DFHSTART or userid.DFHINSTL. Since more than a single logonid can be involved, you could address the access by writing a single masked rule as follows: 

$KEY(********) TYPE(SUR)
 DFH- UID(uid_for_CICS_region) ALLOW 

You can also be more specific as follows: 

$KEY(********) TYPE(SUR)
 DFHSTART UID(uid_for_CICS_region) ALLOW
 DFHINSTL UID(uid_for_CICS_region) ALLOW 

Details on XUSER

Certain CICS functions, such as the EXEC CICS START command, allow the application programmer to initiate a transaction using a userid that is different from that of the requester. CICS optionally can perform a security check to verify if the requesting userid has the authority to specify and use a different userid for the started transaction. This security check is called a surrogate userid check. 

The XUSER= keyword in the CICS system initialization table (SIT) provides the standard means for an installation to control surrogate userid checking. As with many other DFHSIT parameters, the XUSER keyword can also be specified via the CICS SYSIN file or via execution parameter overrides in addition to the DFHSIT macro table itself. It should be noted that all of these items are typically under the control of the CICS systems programmer. 

The CICS interface now controls this DFHSIT keyword via the INITIAL XUSER= initialization parameter. The CICS interface dynamically sets this DFHSIT setting during initialization processing using the value specified via the ACF2PARM parameter file. This overrides any value specified by the CICS systems programmer via the CICS SYSIN file, execution parameter overrides, or the DFHSIT table itself so that it is the security administrator and not the CICS systems programmer that controls surrogate userid checking. 

If surrogate userid checking is in effect, CICS issues SAF validation requests using a CLASS name of SURROGAT and entity names of the following formats: 

uuuuuuuu.DFHINSTL
uuuuuuuu.DFHSTART 

Where uuuuuuuu represents the userid that the current user is attempting to use.