A fix is available
APAR status
Closed as program error.
Error description
Customer has recently migrated to SAF for security checking and now when issuing a NetView command from an MVS console that is not logged on to, BNH274E is received. NetView should be using an id of *BYPASS* when the console is not logged on to and according to our security manual it will not be security checked yet it actually is being checked and RACF returns a Rc4 meaning no decision could be made. The customer has SAFNODEC set to fail and thus that results in the BNH274E message.
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: All users of Tivoli NetView for z/OS who * * enter NetView commands from an MVS console * * via the SSI (SubSystem Interface). * **************************************************************** * PROBLEM DESCRIPTION: When entering a NetView command from an * * MVS console with AUTH=MASTER that is * * not logged on and the following are * * true: * * - the setting for CMDAUTH is SAF * * - the setting for SAFNODEC is FAIL * * the command fails with msgBNH274E, * * indicating a command authorization * * decision could not be made. * **************************************************************** * RECOMMENDATION: * **************************************************************** When a NetView command is entered from an MVS console using the command designator characters or the modify (F) command to the NetView started procedure, the current userid is extracted and used for command security. If the command is entered on a system console that is not logged on, a userid of *BYPASS* is used. When command authorization checking is done using a table (CAT), authorization checking for this case is always bypassed. However, if SAF security checking is done, the userid of *BYPASS* is passed to SAF, which responds with a return code of 4 (no decision could be made). When SAFNODEC is set to FAIL, the command fails.
Problem conclusion
Because this security setup has been in place for many years, some installations may want the command security to fail for the environment listed above, if the operator's authorization really can't be determined. However, if the console has MASTER authority, it's reasonable that all commands should be allowed. Therefore, module DSISSICD is being changed such that when a command is entered from an MVS system console that is not logged on that has MASTER authority, authorization will be bypassed, even when SAF is used for command authorization. Also, the following changes should be made to Chapter 3, Controlling Access to Commands, in the Tivoli NetView for z/OS V6R2 and V6R2M1 Security Reference manuals (SC27-2863-04 and SC27-2863-06, respectively): - The third bullet in the section titled "Exceptions to Command Authorization Checking" should be changed to read as follows: o Commands issued from a source ID of *BYPASS* are treated differently than commands issued from other sources. The SOURCEID will default to *BYPASS* if the command was entered at an extended multiple console support (EMCS) console and the operator was not logged on to the EMCS console. Refer to the table named SOURCEID Determination in the section titled Determining SOURCEID Values for Authority Checking for information about how security checking is or is not performed for these commands. - The second paragraph in the entries for Command and Environment of both "NetView commands that are received over the subsystem interface (SSI) that were entered at an MVS operator console." and "NetView commands that are entered using the MVS MODIFY command." in the table named SOURCEID Determination in the section titled Determining SOURCEID Values for Authority Checking should be changed to read as follows: If an operator has not logged on that MVS console, the SOURCEID of that task defaults to *BYPASS*. When a command is issued from a source ID of *BYPASS*, the following are true: o If the AUTH value of the console issuing the command is MASTER, the command is not checked for authority by the command authorization table or SAF. o If a command authorization table is being used for command security, the command is not checked for authority. o If SAF is being used for command security and the AUTH value of the console issuing the command is not MASTER, SAF returns a code of 4, indicating no security decision could be made. In that case, the SAFNODEC or BACKTBL setting is used to determine whether the command passes command authorization. Using BACKTBL gives more flexibility of command authorization choices.
Temporary fix
Comments
×**** PE17/08/07 FIX IN ERROR. SEE APAR OA53109 FOR DESCRIPTION
APAR Information
APAR number
OA51349
Reported component name
AUTO CNTL NETV
Reported component ID
5698LSA01
Reported release
11B
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2016-09-27
Closed date
2017-02-14
Last modified date
2017-09-29
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
UA91091 UA91092
Modules/Macros
DSISSICD
Fix information
Fixed component name
AUTO CNTL NETV
Fixed component ID
5698LSA01
Applicable component levels
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
[{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"11B","Edition":"","Line of Business":{"code":"","label":""}},{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"11B","Edition":"","Line of Business":{"code":"","label":""}}]
Document Information
Modified date:
09 August 2022