PH67604: UNEXPECTED ACCESS AFTER RUNNING DFH$SM2R

Obtain the fix for this APAR.

APAR status

• Closed as program error.

Error description

• The DFH$SM2R job is used to generate RACF commands to create new
  classes and profiles. The userid which then runs the CLIST to
  create these new profiles inadvertently gets ALTER access to
  every profile that is created. This behaviour is documented in
  IBM Documentation as:
  
  The RDEFINE command adds a profile for the resource to the RACF
  database in order to control access to the resource. It also
  places your user ID on the access list and gives you ALTER
  authority to the resource unless SETROPTS NOADDCREATOR is in
  effect.
  
  While this could be argued as documented behaviour, it goes
  against the zero-trust policy by giving an individual user
  access rather than a group.
  
  When DFH$SM2R processes security metadata containing multiple
  classes, profiles from earlier classes in the metadata are
  incorrectly included in the RACF commands generated for
  subsequent classes. This results in duplicate or misplaced
  profile definitions across different security classes.
  

Local fix

• Set SETROPTS NOADDCREATOR to prevent the additional permission
  from being granted.
  

Problem summary

• ****************************************************************
  * USERS AFFECTED: All CICS users.                              *
  ****************************************************************
  * PROBLEM DESCRIPTION: RDEFINE commands generated from         *
  *                      security metadata by DFH$SM2R leads to  *
  *                      unexpected access being given. Extra    *
  *                      RDEFINE commands also may be generated  *
  *                      in some classes.                        *
  ****************************************************************
  The DFH$SM2R job, which calls DFH$XSR, is used to generate RACF
  commands to create new classes and profiles from a security
  metadata input. The userid which runs the CLIST is then given
  ALTER access to every profile that is created. This is
  documented behaviour, but not mentioned in the RACF command
  output from DFH$XSR.
  
  This can be slightly misleading as giving an individual user
  access rather than a group goes against the zero-trust policy.
  
  In cases where there are multiple classes in the security
  metadata being processed, subsequent classes may have extra
  RDEFINE statements added containing profiles from the previous
  class.
  

Problem conclusion

• CICS has been updated to add an informational message to RACF
  commands generated from security metadata explaining that the
  RDEFINE command adds a profile for the resource and places your
  user ID on the access list with ALTER authority unless
  SETROPTS NOADDCREATOR is set.
  
  CICS has also been update to clear existing profiles before
  generating the next classes' RACF commands to prevent extra
  profile RDEFINE statements being added.
  

Temporary fix

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

Modules/Macros

• DFH$XSR  DFH$XSU
  

Fix information

• Fixed component name

  CICS TS Z/OS V6

• Fixed component ID

  5655YA100

Applicable component levels

• R400 PSY UO07106

     UP26/03/12 P F603  

• R500 PSY UO07105

     UP26/03/18 P F603  

• R600 PSY UO07104

     UP26/03/12 P F603  

Fix is available

• Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.