What to do if access is allowed or disallowed incorrectly

In addition to the steps detailed in the z/OS Security Server RACF Security Administrator's Guide, use this checklist if access to a resource appears incorrectly controlled:

• Are the switch profiles correctly set?

  • Is RACF active?

  • Are the WebSphere MQ RACF classes installed and active?

    Use the RACF command, SETROPTS LIST, to check this.

  • Use the WebSphere MQ DISPLAY SECURITY command to display the current switch status from the queue manager.

  • Check the switch profiles in the MQADMIN class.

    Use the RACF commands, SEARCH and RLIST, for this.

  • Recheck the RACF switch profiles by issuing the WebSphere MQ REFRESH SECURITY(MQADMIN) command.

• Has the RACF resource profile changed? For example, has universal access on the profile changed or has the access list of the profile changed?

  • Is the profile generic?

    If it is, issue the RACF command, SETROPTS GENERIC(classname) REFRESH.

  • Have you refreshed the security on this queue manager?

    If required, issue the RACF command SETROPTS RACLIST(classname) REFRESH.

    If required, issue the WebSphere MQ REFRESH SECURITY(*) command.

• Has the RACF definition of the user changed? For example, has the user been connected to a new group or has the user access authority been revoked?

  • Have you reverified the user by issuing the WebSphere MQ RVERIFY SECURITY(userid) command?

• Are security checks being bypassed due to RESLEVEL?

  • Check the connecting user ID's access to the RESLEVEL profile. Use the RACF audit records to determine what the RESLEVEL is set to.

  • If you are running from CICS, check the transaction's RESSEC setting.

  • If RESLEVEL has been changed while a user is connected, they must disconnect and reconnect before the new RESLEVEL setting takes effect.

• Are you using queue-sharing groups?

  • If you are using both queue-sharing group and queue manager level security, check that you have defined all the correct profiles. If queue manager profile is not defined, a message is sent to the log stating that the profile was not found.

  • Have you used a combination of switch settings that is not valid so that full security checking has been set on?

  • Do we need to define security switches to override some of the queue-sharing group settings for your queue manager?

  • Is a queue manager level profile taking precedence over a queue-sharing group level profile?