What to do if access is allowed or disallowed incorrectly

In addition to the steps detailed in the z/OS Security Server RACF Security Administrator's Guide, use this checklist if access to a resource appears to be incorrectly controlled.

  • Are the switch profiles correctly set?

    • Is RACF active?
    • Are the IBM MQ RACF classes installed and active?

      Use the RACF command, SETROPTS LIST, to check this.

    • Use the IBM MQ DISPLAY SECURITY command to display the current switch status from the queue manager.
    • Check the switch profiles in the MQADMIN class.

      Use the RACF commands, SEARCH and RLIST, for this.

    • Recheck the RACF switch profiles by issuing the IBM MQ REFRESH SECURITY(MQADMIN) command.

  • Has the RACF resource profile changed? For example, has universal access on the profile changed or has the access list of the profile changed?

    • Is the profile generic?

      If it is, issue the RACF command, SETROPTS GENERIC(classname) REFRESH.

    • Have you refreshed the security on this queue manager?

      If required, issue the RACF command SETROPTS RACLIST(classname) REFRESH.

      If required, issue the IBM MQ REFRESH SECURITY(*) command.

  • Has the RACF definition of the user changed? For example, has the user been connected to a new group or has the user access authority been revoked?

    • Have you reverified the user by issuing the IBM MQ RVERIFY SECURITY(userid) command?

  • Are security checks being bypassed due to RESLEVEL?

    • Check the connecting user ID's access to the RESLEVEL profile. Use the RACF audit records to determine what the RESLEVEL is set to.
    • For channels, remember that the access level that the channel initiator's userid has to RESLEVEL is inherited by all channels, so an access level, such as ALTER, that causes all checks to be bypassed causes security checks to be bypassed for all channels.
    • If we are running from CICS, check the transaction's RESSEC setting.
    • If RESLEVEL has been changed while a user is connected, they must disconnect and reconnect before the new RESLEVEL setting takes effect.

  • Are you using queue sharing groups?

    • If we are using both queue sharing group and queue manager level security, check that we have defined all the correct profiles. If queue manager profile is not defined, a message is sent to the log stating that the profile was not found.
    • Have we used a combination of switch settings that is not valid so that full security checking has been set on?
    • Do we need to define security switches to override some of the queue sharing group settings for your queue manager?
    • Is a queue manager level profile taking precedence over a queue sharing group level profile?

Parent topic: Set up security on z/OS