Why There Is No Violation Against The CICS Region Acid When Accessing Application Dataset?

Document ID : KB000012029
Last Modified Date : 14/02/2018
Show Technical Document Details
Introduction:

 

The CICS region acid doesn't have NODSNCHK, NOVOLCHK bypasses. It is authorized to access to the needed dataset to have the CICS region to start.

Referring to the official IBM documentation: 

http://www.ibm.com/support/knowledgecenter/SSGMCP_5.2.0/com.ibm.cics.ts.doc/dfht5/topics/dfht533.html 

"Authorizing access to user data sets Version 5.2.0 

When you have defined the RACF user ids for your CICS regions and given them access to the CICS system data sets, permit the user IDs to access the CICS application data sets with the necessary authority."


It means the CICS region acid does not only need the permissions to access the system datases but also need access to the application datasets.

Or the other way round: An access to an application dataset, which is not permitted to the region acid, should be denied. 

When setting a SECTRACE, it shows that a security call is issued but it is made with LOG=NONE. It why the violation is not logged.

There is no CA Top secret or CICS security parms reason why it should happen. 

Question:

 

Why There Is No Violation Against The CICS Region Acid When Accessing Application Dataset?

Environment:
z/OS
Answer:

 

Removed from PGMNAME(DFHSIP) in the PPT of z/OS, SYS1.PARMLIB (SCHEDxx) the option "NOPASS".

"PASS" is the default.

 

When NOPASS is removed and PASS is in effect, then the security call against those dataset are made without LOG=NONE making the violation to be logged.

Additional Information:

 

You can review the SCHEDxx parameter from IBM link for z/OS2.1 used as example.

 

http://www.ibm.com/support/knowledgecenter/SSLTBW_2.1.0/com.ibm.zos.v2r1.ieae200/ieae200540.htm