Checking the Security Bits and Calling the ESM

Each time CP processes an event, it checks the associated ACI Security bits. If any are on, CP sets up an ACIPARMS parameter list and calls the ESM, passing the address of ACIPARMS in General Register 1. See CP Calls to the ACI for the parameter lists on the CP calls to the ACI. The ACIBMAPA, ACIBMAPP, and ACIBMAPM fields indicate which security bits were enabled. These three fields contain respectively the AUDIT, PROTECT, and MAC setting for the event executing. For DIAGNOSEs, system functions, and 'ANY' class commands, the high order (X'80') bit in the ACIBMAPx fields contains the security setting. For privileged commands, the ACIBMAPx fields contain settings for privilege classes A through G of the command (X'80' - X'20').

Upon return from the ESM, the return code in the ACICODE field is checked. The supported ESM return codes for each call are documented in CP Calls to the ACI. In general, the return code handling is as follows:

There are four main ESM return codes defined in the ACIPARMS control block:
ACIAUTH 0
Authorization is granted
ACIDEFR 4
ESM is not there or defers
ACINOAC 8
Authorization is denied
ACIUNAV 20
ESM is not available (could not complete function)
Notes:
  1. Audit-only calls to the ESM support the ACIAUTH, ACIDEFR and ACIUNAV return codes.
  2. ACIAUTH and ACIDEFR return codes are handled the same: processing continues.
  3. If ACINOAC is received, the event will fail with an error message, or condition applicable to the event which was issued.
  4. If ACIUNAV is returned then the event will not be allowed. Most commands fail with message: 
    6525E    The ESM is unavailable

    Diagnose codes and system functions end with various failing return conditions.

LOGON, AUTOLOG, XAUTOLOG POSIX SET ID, POSIX GROUP DATABASE QUERY, and POSIX USER DATABASE QUERY ESM calls recognize additional return codes. These are documented in CP Calls to the ACI.