IBM Support

PM40120: ENHANCEMENT TO MANAGE IMS MESSAGES BELONGING TO A SPECIFIC APPLICATION AND PREVENT ACTIONS FROM NON-AUTHORIZED USERS

A fix is available

Obtain the fix for this APAR.

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as new function.

Error description

  • There is a requirement to allow control of QCF actions, such as
Browse, Query, Unload or Load, to be done by specific QCF user's
against IMS transaction messages. More specifically, the need is
to allow USER1 to only manipulate TRAN1 messages, and avoid
allowing USER1 to manipulate any other transactions messages.

This enhancement is based off of FITS REQ MR1115106934.

Local fix

  • 



Problem summary


    

  • ****************************************************************
* USERS AFFECTED: All users of QCF - install this APAR to have *
*                 destination control activated. If no         *
*                 destination control table is supplied- only  *
*                 the RACF security will be in control (if     *
*                 RACF has been set up). If destination        *
*                 control table is created, compiled and       *
*                 installed,in addition to RACF control a new  *
*                 destination level control will be in effect. *
****************************************************************
* PROBLEM DESCRIPTION:                                         *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
Internal destination control table is created using the  ACCESS
control statements.
The table defines the authorization for TSO users or submitters
of batch jobs to perform QCFfunctions upon specific destination
types and destination  names within a specific IMS and plex.
The table is valid within the plex and is linked with the name
"IQCplexname"in hlq.SIQCLOAD.
If no "IQCplxname" load module is found in hlq.SIQCLOAD -
no destination control is performed and only the RACF
security (if any) as described in chapter 10 is in place.
If "IQCplxname" load module is found,for each message destin
control is performed,to make sure that USERID has authorization
to perform the function for the message in the plex and in the
IMS.
All users have full access to all messages in all control region
for function QUERY.
This function shows only the number of messages to each destinat
and does not show any particular content of the messages.

ACCESS control statements  to define the destination control
Table

ACCESS statements  are  created for  IMS and USERID in a plex.
(USERID can be a group of users starting with the same prefix
- USRT001 isa single user, USRT0* is a group of users with
the same destination access).
If the destination table ("IQCplxname" load module) exists,
but no valid entry is found for  IMS and USERID - the userid
is not authorized to perform any functions within the IMS.
Parameters of  ACCESS statements:
IMSID=imsid or *
 IMSID is required
USERID=userid or abc* -for userids starting with the same
       character - USERID is required
INCLUDE -  this parameter defines functions and messages
           types and names,that are allowed for the user.
EXCLUDE - this parameter defines functions and messages
          types and names,that are not allowed for the user.
Subparameters for INCLUDE and EXCLUDE:
   FUNCTION = B(rowse), U(nload), L(oad), R(ecover) or A(ll)
   DESTYPE =LT(erm), TR(ansaction), APPC, OTMA or ALL
   DESNAME=destination or dest* - for destinations starting
          the same character.
When an USERID performs some QCF function within an IMS and
destination control table  exists, for each retrieved messages
the ACCESS  statements are looked up - to find the one that is
most relevant to  the IMS and  the USERID .

The scan of the ACCESS statements is done in next sequence and
stops when the first relevant ACCESS statement  is found:
-exact IMSID and exact USERID
-exact IMSID and  USERID*
-exact IMSID and  all userids (*)
-all IMSs (*) and exact USERID
-all IMSs (*)and USERID*
-all IMSs (*)and all userids

After the ACCESS statement is set, the INCLUDE and EXCLUDE
parameters are applied for the current function, destination
type and destination name:
-if there are no INCLUDEs - the message is accepted - process
  continues with check of the EXCLUDEs.
-if there are INCLUDEs - the message is checked against the
  INCLUDEs and is rejected if does not satisfy any INCLUDE.
-If the message satisfies one INCLUDE - process continues with
  check of the excludes.
-if there are no EXCLUDEs - the  messages that  pass the
 INCLUDES are accepted.

 Sample input files to create destination control table:
 (sample destination control member IQCDSTCI is in the
 hlq.SIQCSAMP library):


 ACCESS(IMSID=*,USERID=*)
 ACCESS(IMSID=SYS3,USERID=USRT002,
   EXCLUDE(FUNCTION(B,L,U),DESTYPE(ALL),DESNAME(E*))
   EXCLUDE(FUNCTION(B,L,U),DESTYPE(ALL),DESNAME(C*)))
 ACCESS(IMSID=****,USERID=USRT003,
   INCLUDE(FUNCTION(B,L),DESTYPE(LT,TR,APPC,OTMA),DESNAME(E*))
   INCLUDE(FUNCTION(A),DESTYPE(LT,OTMA),DESNAME(A*))
   EXCLUDE(FUNCTION(B,L),DESTYPE(LT,TR,APPC),DESNAME(ER1*)))

 Sample JCL to create destination control table is provided.
 The JCL sample is in hlq.SIQCSAMP(IQCSYNTY).
 After the destination control table is created-the control
 region and the server have to be restarted- for the changes
 take effect.

    



Problem conclusion


    

  • 



Temporary fix


    

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    PM40120
    • 

  • Reported component name
    IMS QUEUE CNTL
    • 

  • Reported component ID
    5697E9900
    • 

  • Reported release
    310
    • 

  • Status
    CLOSED  UR1
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2011-05-25
    • 

  • Closed date
    2012-05-04
    • 

  • Last modified date
    2012-06-03
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    
UK78516
    

    • 



Modules/Macros


    

  • H0GN310J IQC##### IQCBIN10 IQCDSTCI IQCDSTC0
IQCQMR1A IQCQMR1B IQCQMR1C IQCQMR19 IQCQMR2A IQCQMR2B IQCQMR2C
IQCQMR29 IQCQMR9A IQCQMR9B IQCQMR9C IQCQMR99 IQCSIN10 IQCSYNTY
IQCXSEL6 IQCZIN10

    



Fix information


    

  • Fixed component name
    IMS QUEUE CNTL
    • 

  • Fixed component ID
    5697E9900
    • 



Applicable component levels


    

  • R310  PSY  UK78516
       UP12/05/08  P  F205
    • 



Fix is available


    

  • Select the PTF appropriate for your component level.
You will be required to sign in. Distribution on physical
media is not available in all countries.
    








      
              
                            

              

              [{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"3.1.0","Edition":"","Line of Business":{"code":"","label":""}},{"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSCX8A6","label":"IMS Queue Control Facility"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"3.1.0","Edition":"","Line of Business":{"code":"","label":""}}]
              

                                                                    

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            03 June 2012
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback