OA66034: VALUE -GROUP- IS USED INSTEAD OF CONNECTED USER IDS FROM THE RACF_DB2_ACL WHEN CONFIGURATION IDS ARE RACF GROUP IDS

Obtain the fix for this APAR.

APAR status

• Closed as program error.

Error description

• ZPRM installation IDs which are groups are not exploded to their
  connected User IDs if the group is not empty.
  
  
  When using zSecure to provide information to the Guardium
  Vulnerability Assessment product, DB2 installation IDs defined
  in the DSNZPARM configuration data set are not replaced by
  connected user IDs in the RACF_DB2_ACL field by the 'EFFECTIVE'
  field output modifier in cases where installation IDs are RACF
  group IDs.
  

Local fix

• N/A
  

Problem summary

• ****************************************************************
  * USERS AFFECTED: Users of zSecure Audit exploiting Db2        *
  *                 resource reports (interactive option RE.D,   *
  *                 newlist types DB2_xxx).                      *
  ****************************************************************
  * PROBLEM DESCRIPTION: zSecure Audit does not replace DB2      *
  *                      installation group IDs defined in the   *
  *                      DSNZPARM configuration data set by      *
  *                      connected user IDs in the DB2           *
  *                      consolidated access list.               *
  ****************************************************************
  * RECOMMENDATION: Apply the PTF provided and review the        *
  *                 documentation update.                        *
  ****************************************************************
  When DB2 installation defined IDs (SYSADM, SYSADM2, SYSOPR1,
  SYSOPR2, SECADM1, and SECADM2) refer to RACF groups, zSecure
  Audit does not expand these groups to a list of the connected
  user IDs in the the DB2 consolidated access list.
  

Problem conclusion

• zSecure Audit has been modified, so that DB2 installation
  defined IDs SYSADM, SYSADM2, SYSOPR1, SYSOPR2, SECADM1, and
  SECADM2 are replaced by a list of connected user ID in cases
  where these installation defined IDs refer to RACF groups in the
  DB2 consolidated access list.
  Please note the documentation change as provided by the APAR
  tracking comment data.
  

Temporary fix

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

  UJ95949 UJ95950

Modules/Macros

• CKRDB2A  CKRXPL2  GKRDB2A  GKRXPL2
  

Fix information

• Fixed component name

  ZSEC BASE,ADMIN

• Fixed component ID

  5655T0100

Applicable component levels

• R250 PSY UJ95950

     UP24/09/14 P F409

• R310 PSY UJ95949

     UP24/09/14 P F409

Fix is available

• Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.