What to do if access is allowed or disallowed incorrectly
In addition to the steps detailed in the z/OS Security Server RACF(R) Security Administrator's Guide, use this checklist if access to
a resource appears incorrectly controlled:
- Are the switch profiles correctly set?
- Is RACF active?
- Are the WebSphere MQ RACF classes installed and active?
Use the RACF command, SETROPTS
LIST, to check this.
- Use the WebSphere MQ DISPLAY SECURITY command to display the current switch status
from the queue manager.
- Check the switch profiles in the MQADMIN class.
Use the RACF commands, SEARCH
and RLIST, for this.
- Recheck the RACF switch profiles by issuing the WebSphere MQ REFRESH SECURITY(MQADMIN)
command.
- Has the RACF resource profile changed? For example, has universal access on
the profile changed or has the access list of the profile changed?
- Is the profile generic?
If it is, issue the RACF command, SETROPTS GENERIC(classname)
REFRESH.
- Have you refreshed the security on this queue manager?
If required,
issue the RACF command SETROPTS RACLIST(classname) REFRESH.
If required,
issue the WebSphere MQ REFRESH SECURITY(*) command.
- Has the RACF definition of the user changed? For example, has the user been connected
to a new group or has the user access authority been revoked?
- Have you reverified the user by issuing the WebSphere MQ RVERIFY SECURITY(userid)
command?
- Are security checks being bypassed due to RESLEVEL?
- Check the connecting user ID's access to the RESLEVEL profile. Use
the RACF audit records to determine what the RESLEVEL is set to.
- If you are running from CICS(R), check the transaction's RESSEC setting.
- If RESLEVEL has been changed while a user is connected, they must disconnect
and reconnect before the new RESLEVEL setting takes effect.
- Are you using queue-sharing groups?
- If you are using both queue-sharing group and queue manager level security,
check that you have defined all the correct profiles. If queue manager profile
is not defined, a message is sent to the log stating that the profile was
not found.
- Have you used a combination of switch settings that is not valid so that
full security checking has been set on?
- Do you need to define security switches to override some of the queue-sharing
group settings for your queue manager?
- Is a queue manager level profile taking precedence over a queue-sharing
group level profile?