Trying to read a tape dataset using DFSORT results in a security violation from RACF for the CA 1 YSVC resource YSVCCOND and Abend 9YY-104.

Document ID : KB000051215
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

Trying to read a tape dataset using DFSORT results in a security violation from RACF for the CA 1 YSVC resource YSVCCOND and Abend 9YY-104.

Related messages:

ICH408I USER(userid) GROUP(group) NAME(name)
  YSVCCOND CL(CA@APE)
  INSUFFICIENT ACCESS AUTHORITY
  ACCESS INTENT(READ) ACCESS ALLOWED(NONE)
CAL052SF 08 000 rsn userid/pgmname/YSVCCOND CAS9034E FUNCTION(RESCHECK) ACCESS TO RESOURCE HAS BEEN DENIED
IEFTMS70 9YY-104 OPCODE=12,CA 1 SVC FUNCTION NOT AUTHORIZED

As per the CA 1 Documentation, the YSVC resource should not be checked during tape processing.

Note, the same tape can be read without problem from the same USER using IEBGENER for example.

Why is DFSORT getting this violation?

Solution:

The violation for the YSVC resource running DFSORT, is caused by the CA 1 version of the DFSORT exit ICETPEX. This exit is supplied with CA 1 and is used by DFSORT to retrieve DCB information (LRECL, BLKSIZE, RECFM and BLOCKCOUNT) from the TMC volume record, for the tape being processed. Since the READ access to the TMC from ICETPEX is not from Tape OPEN or CLOSE, the YSVC resource is checked.

Be sure the USER running DFSORT has appropriate access to YSVC resources YSVCUNCD or YSVCCOND.

For details on CA 1 Security see Systems Programmer Guide Chapter 6: CA 1 Passwords and Security.

If necessary, the CA 1 version of ICETPEX can be disabled by renaming the module in the CAILIB (Release 11.5 and below) or CTAPLINK(Release 12.0).