If the security profile for a TS pool cannot be retrieved, SAF neither
grants nor refuses the access request. In this situation:
Access to the TS pool, either by a CICS region or by the TS server itself,
is rejected if:
- A security manager is installed, but is either temporarily inactive or
inoperative for the duration of the MVS™ image. This is a fail-safe action, on the
grounds that, if the security manager is active, it might retrieve a profile
that does not permit access to the TS pool.
Access to the TS pool, either by a CICS region or by the TS server itself,
is accepted if:
- There is no security manager installed, or
- There is an active security manager, but the FACILITY class is inactive,
or there is no profile in the FACILITY class. The access request is allowed
in this case because there is no evidence that you want to control access
to the TS server.
Access is permitted to any TS server without a specific DFHXQ.
poolname profile, or an applicable generic profile. No messages are issued
to indicate this. To avoid any potential security exposures, you can use generic
profiles to protect all, or specific groups of, TS servers. For example, specifying:
RDEFINE FACILITY (DFHXQ.*) UACC(NONE)
ensures that access is
allowed only to TS servers with a more specific profile to which a TS server
or CICS region is authorized.