What to do if access is allowed or disallowed incorrectly
In addition to the steps detailed in the z/OS Security Server RACF Security Administrator's Guide, use this checklist if access to a resource appears incorrectly controlled:
- Are the switch profiles correctly set?
- Is RACF active?
- Are the WebSphere MQ RACF classes installed and active?
Use the RACF command, SETROPTS LIST, to check this.
- Use the WebSphere MQ DISPLAY SECURITY command to display the current switch status from the queue manager.
- Check the switch profiles in the MQADMIN class.
Use the RACF commands, SEARCH and RLIST, for this.
- Recheck the RACF switch profiles by issuing the WebSphere MQ REFRESH SECURITY(MQADMIN) command.
- Has the RACF resource profile changed? For example, has universal access on the profile changed or has the access list of the profile changed?
- Is the profile generic?
If it is, issue the RACF command, SETROPTS GENERIC(classname) REFRESH.
- Have you refreshed the security on this queue manager?
If required, issue the RACF command SETROPTS RACLIST(classname) REFRESH.
If required, issue the WebSphere MQ REFRESH SECURITY(*) command.
- Has the RACF definition of the user changed? For example, has the user been connected to a new group or has the user access authority been revoked?
- Have you reverified the user by issuing the WebSphere MQ RVERIFY SECURITY(userid) command?
- Are security checks being bypassed due to RESLEVEL?
- Check the connecting user ID's access to the RESLEVEL profile. Use the RACF audit records to determine what the RESLEVEL is set to.
- If you are running from CICS, check the transaction's RESSEC setting.
- If RESLEVEL has been changed while a user is connected, they must disconnect and reconnect before the new RESLEVEL setting takes effect.
- Are you using queue-sharing groups?
- If you are using both queue-sharing group and queue manager level security, check that you have defined all the correct profiles. If queue manager profile is not defined, a message is sent to the log stating that the profile was not found.
- Have you used a combination of switch settings that is not valid so that full security checking has been set on?
- Do we need to define security switches to override some of the queue-sharing group settings for your queue manager?
- Is a queue manager level profile taking precedence over a queue-sharing group level profile?