When a user requires access to a protected resource (such as a CICS® transaction) and RACF® denies the requested access, you will often have to analyze the problem before deciding what action to take.
For a brief description of message ICH4081, see RACF message ICH408I. For complete descriptions of this and all other RACF messages, see z/OS Security Server RACF Messages and Codes.
If message ICH408I is issued for an authorization failure, RACF is active. The message text itself indicates the userid for which the authorization check was done and the name of the RACF profile that was used for the check.
When issued because of a CICS-originated authorization check, the RACF sends the ICH408I message to the CICS region's job log. Most CICS authorization messages also go to the CSCS transient data queue, except DFHIR and DFHZC messages, which go to the CSMT transient data queue.
If no profile exists for a particular resource, RACF returns a "profile not found" indication to CICS. CICS issues message DFHXS1111 with a SAF return code of X'00000004' and an ESM code of X'00000000'. No ICH408I message is issued in this case. The RLIST command issues a message stating that no profile was found.