OA66738: NEW FUNCTION - LOG SAF BYPASS FOR VSAM OPEN

A fix is available

APAR status

Closed as new function.

Error description

New Function

CATKEYS: CAT2024 CATNEW CATAUTH CATVSAM

Local fix

Problem summary

****************************************************************
* USERS AFFECTED: All users of z/OS 2.5 and above who OPEN     *
*                 VSAM data sets while running supervisor      *
*                 state or key 0 and who do not have the       *
*                 bypass bit set on                            *
****************************************************************
* PROBLEM DESCRIPTION: New function                            *
****************************************************************
* RECOMMENDATION: New function                                 *
****************************************************************
New function

Problem conclusion

Temporary fix

Comments

Changes to  "z/OS DFSMS Managing Catalogs"
SRL: SC236853xx
section https://www.ibm.com/docs/en/zos/3.1.0?topic=
racfrp-controlling-catalog-functions-racf-profiles-in-facility-
class-xfacilit-class.

At bottom of this section "Controlling Catalog Functions with
RACF Profiles in the FACILITY Class or XFACILIT Class"
change last sentence from:

If the FACILITY class is already active, the SETROPTS command
 is not necessary.

To:
If the FACILITY class is already active, refresh SETROPTS.

Add the following paragraph:
Exception: The FACILITY class profile for STGADMIN.IGG.AUTO.
BYPASS.LOG should be defined similar to the following, so that
all users' bypasses of SAF checks during VSAM OPENs can be
logged. See https://www.ibm.com/docs/en/zos/3.1.0?topic=racf-
protection-vsam-data-sets.
    RDEFINE  FACILITY  STGADMIN.IGG.AUTO.BYPASS.LOG UACC(READ)
    AUDIT(SUCCESS) OWNER(CATADMIN).

Or use  UACC(NONE) on
 the above command and then issue

PERMIT  STGADMIN.IGG.AUTO.BYPASS.LOG
      CLASS(FACILITY) ID(*) ACCESS(READ)





Changes to "z/OS DFSMS Managing Catalogs" section
https://www.ibm.com/docs/en/zos/3.1.0?topic=ccfrpifcxc-storage-
administration-stgadmin-profiles-in-facility-class-xfacilit-
class

Add the following to list of profiles:

STGADMIN.IGG.AUTO.BYPASS.LOG
VSAM OPEN routines bypass RACF security checking if the program
issuing OPEN is in supervisor state or protection key 0. The
FACILITY class resource STGADMIN.IGG.AUTO.BYPASS.LOG, supported
by APAR OA66738, enables users to log this behavior in SMF 80
records. See https://www.ibm.com/docs/en/zos/3.1.0?topic=racf-
protection-vsam-data-sets.


Changes to "z/OS DFSMSdfp Storage Administration"
SRL: SC236860xx
https://www.ibm.com/docs/en/zos/3.1.0?topic=class-command-
keyword-related-profiles

Add the following to list of profiles:

STGADMIN.IGG.AUTO.BYPASS.LOG
VSAM OPEN routines bypass RACF security checking if the program
issuing OPEN is in supervisor state or protection key 0. The
FACILITY class resource STGADMIN.IGG.AUTO.BYPASS.LOG, supported
by APAR OA66738, enables users to log this behavior in SMF 80
records. See https://www.ibm.com/docs/en/zos/3.1.0?topic=racf-
protection-vsam-data-sets.



"z/OS DFSMS Using Data Sets"
SRL SC236855xx
 section https://www.ibm.com/docs/en/zos/3.1.0?topic=racf-
 protection-vsam-data-sets.

Change the last sentence of this section "RACF protection for
VSAM data sets" from :
VSAM OPEN routines bypass RACF security checking if the program
issuing OPEN is in supervisor state or protection key 0.


To this paragraph:

Bypassing RACF protection (sub-heading)
VSAM OPEN routines bypass RACF security checking if the program
issuing OPEN is in supervisor state or protection key 0. APARs
OA66738 and OA67032 enable users to log this behavior.

When the PTFs for OA66738 and OA67032 are applied,
for each bypass of VSAM
OPEN, an authorization check for READ authority to the FACILITY
class resource STGADMIN.IGG.AUTO.BYPASS.LOG is performed.
Installations can specify logging options on the profile
covering this resource to request an SMF 80 record be written
that contains information about the bypass. The result is that
when the user opens a VSAM data set while running supervisor
state or key 0 and does not have the ACBBYPSS or JSCBPASS bit
on, and bypasses the SAF checking, an SMF 80 RACF processing
record will be written, if logging is enabled for that resource
or user.
 SMF 80 records will only be printed for successful accesses to
 STGADMIN.IGG.AUTO.BYPASS.LOG as LOG=NOFAIL will be specified on
   the RACROUTE REQUEST=AUTH.

The SMF 80 records that will be generated will be ACCESS
records
for the resource STGADMIN.IGG.AUTO.BYPASS.LOG. The qualifier
"SUCCESS" on these ACCESS records refers to the fact that the
user has at least READ access to the resource STGADMIN.IGG.AUTO.
BYPASS.LOG. It has no bearing on whether the user has access to
the data set being opened. The existence of an SMF 80 ACCESS
record for STGADMIN.IGG.AUTO.BYPASS.LOG means only that a
bypass has occurred.

Custom message in SMF 80 STGADMIN.IGG.AUTO.BYPASS.LOG ACCESS
record:
SAF CHECK BYPASSED FOR VSAM OPEN. PROGRAM NAME=<program name
(8 char)>,  JOB STEP=<job step name (8 char)>,
DSN=<data set name (44 char)>

To activate logging for all users, issue the following command

RDEFINE FACILITY STGADMIN.IGG.AUTO.BYPASS.LOG
            UACC(READ) AUDIT(SUCCESS)

Our recommendation is to set UACC(READ) and AUDIT(SUCCESS) on
the RDEFINE of STGADMIN.IGG.AUTO.BYPASS.LOG so that SMF 80
records will be written for all users who run jobs which
include OPENs that automatically bypass the SAF check. Or use
UACC(NONE) on the above command and then issue

PERMIT  STGADMIN.IGG.AUTO.BYPASS.LOG
      CLASS(FACILITY) ID(*) ACCESS(READ)


See https://www.ibm.com/docs/en/zos/
 3.1.0?topic=racfrp-controlling-catalog-functions-racf-profiles-
 in-facility-class-xfacilit-class for more information about
 using Catalog FACILITY class resources.

Setting the ACBBYPSS bit on the ACB of a data set allows
explicit bypass of security checking.  This is the recommended
approach and will avoid the log records.

APAR Information

APAR number
OA66738
Reported component name
ICF CATALOG & I
Reported component ID
5695DF105
Reported release
310
Status
CLOSED UR1
PE
NoPE
HIPER
NoHIPER
Special Attention
YesSpecatt / New Function / Xsystem
Submitted date
2024-07-15
Closed date
2024-12-10
Last modified date
2025-01-02

APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:

OA67032 UJ96433 UJ96440

Modules/Macros

```
IGG0CLEA IGG0CLFT IGG0CLH0
```

*Publications Referenced*
SC236855xx	SC236853xx	SC236860xx

Fix information

Fixed component name
ICF CATALOG & I
Fixed component ID
5695DF105

Applicable component levels

R250 PSY UJ96440
UP24/12/20 P F412
R310 PSY UJ96433
UP24/12/20 P F412

Fix is available

Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.

[{"Business Unit":{"code":"BU011","label":"Systems - zSystems software"},"Product":{"code":"SG19M"},"Platform":[{"code":"PF054","label":"z Systems"}],"Version":"310"}]

Document Information

Modified date:
02 January 2025

Tips

OA66738: NEW FUNCTION - LOG SAF BYPASS FOR VSAM OPEN

A fix is available

Subscribe

APAR status

Closed as new function.

Error description

Local fix

Problem summary

Problem conclusion

Temporary fix

Comments

APAR Information

APAR number

Reported component name

Reported component ID

Reported release

Status

PE

HIPER

Special Attention

Submitted date

Closed date

Last modified date

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:

Modules/Macros

Fix information

Fixed component name

Fixed component ID

Applicable component levels

R250 PSY UJ96440

R310 PSY UJ96433

Fix is available

Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.

Document Information

Share your feedback

Need support?