Auditing authorization
When a user requires access to a protected CICS® resource and RACF® denies the requested access, CICS provides messages.
Category 1 transactions
Category 1 transactions are part of CICS and the CICS region user ID is the only ID configured to run Category 1 transactions. If any other user attempts to run a Category 1 transaction directly, the transaction abends with type AXS1. For these reasons, Category 1 transactions do not need to be authorized to run making them different from other transactions. Category 1 transaction security is secure as only the CICS region user ID needs to be defined and the risk of misconfiguration is minimized.
Category 1 and other transaction types are described in Transactions in CICS.
The IBM® Health Checker for z/OS® validates key production region configuration parameters, including the CICS region user ID. For more information about how this is checked, see Reference: Available CICS health checks supported by IBM Health Checker for z/OS.
Information returned to the user about authorization issues
CICS issues an authorization message, such as DFHAC2033, to a terminal user or returns a “not authorized” return code to an application.
CICS messages about authorization issues
CICS issues an authorization message DFHXS1111 to the CSCS Transient Data Queue (TDQ).
DFHXS1111 26/09/95 15:34:01 CICSSYS1 Security violation by user JONES
at netname D2D1 for resource FLA32 in class TCICSTRN.
SAF codes are (X'00000008',X'00000000'). ESM codesare (X'00000008',X'00000000').
This message reports that user ID JONES, signed on at VTAM® terminal with netname D2D1, caused a security violation in requesting access to resource FLA32, which is in class TCICSTRN. There are reason and response codes from the System Authorization Facility (SAF) and from RACF.
Most CICS authorization messages also go to the CSCS TDQ, except DFHIR and DFHZC messages that go to the CSMT TDQ.
RACF messages about authorization issues
ICH408I USER(JONES ) GROUP(DEPT60 ) NAME(M.M.JONES )
ICH408I FLA32 CL(FCICSFCT)
ICH408I INSUFFICIENT ACCESS AUTHORITY
ICH408I FROM F%A* (G)
ICH408I ACCESS INTENT(UPDATE ) ACCESS ALLOWED(READ )
This message reports that user ID JONES, a member of group DEPT60, whose name is M.M.JONES, had INSUFFICIENT ACCESS AUTHORITY to resource FLA32, which is in class FCICSFCT. The RACF profile protecting the resource is F%A* . (G) indicates that F%A* is a generic profile. The access that is attempted by user JONES was UPDATE, but the access allowed by RACF was READ. Therefore, user ID JONES was denied access.
If the transaction is defined to RACF with LOG(NONE), no ICH408I message is issued.
For a complete description of RACF message ICH408I, see z/OS Security Server RACF Messages and Codes.
CICSPlex SM messages about authorization issues
CICSPlex® SM sends messages to the EYULOG.
Liberty messages about authorization issues
If Liberty accesses CICS resources, through the JCICS or JCICSX APIs, messages are output to the standard CICS message logs. If the Liberty server itself denies the requested access, messages are output to the configured Liberty messages.log file location. Further RACF messages about authorization issues may also be issued to the region's job log and z/OS security console if SAF security is in use and the attribute racRouteLog="ASIS" is
specified on the <safAuthorization/> element in
server.xml.
Impact of SECPRFX on authorization checks
If you specify the SECPRFX system initialization parameter, the resource profile that is checked is prefixed by the SECPRFX value. For example, if SECPRFX=DEV and the FILE PAYROLL is accessed, the check is against the profile DEV.PAYROLL.
Information in CICS statistics about authorization issues
Successful resource authorizations : 867 Failed resource authorizations . . : 11
Successful command authorizations . : 567 Failed command authorizations . . . : 3
Successful surrogate authorizations : 51 Failed surrogate authorizations . . : 0
Successful non-CICS authorizations : 0 Failed non-CICS authorizations . . : 0