Question & Answer
Question
Why am I receiving message DFHXS1111 reporting a security violation against the CICS terminal owning regions (TORs) userid when using the EXEC CICS QUERY SECURITY function in my CICS application owning region (AOR)?
I am seeing DFHXS1111 messages in the CICS AOR log where the application is making the query against a resource id looking for both CONTROL and ALTER access. The DFHXS1111 message is indicating that the CICS TOR's userid does not have control access. A second DFHXS1111 message is written to indicate the signed on userid does not have alter access (which is expected). I don't understand how or why the first DFHXS1111 message is reporting against the TOR's region userid.
Here is an example of the security violation reported against the TOR's region userid:
DFHXS1111 04/04/2019 11:45:19 Security violation by user (TOR region userid) for resource xxxx in class TCICSTRAN. SAF codes are (X'00000008', X'00000000'). ESM codes are (X'00000008',X'00000000'). RACF request made was FASTAUTH.
I have several applications utilizing the QUERY SECURITY call successfully in my regions.
Cause
Answer
There are two ways to resolve:
-
Give the TOR region userid the access access needed to the resource being checked.
-
Bypass the Link check and rely on the checking made against the signed on userid. To bypass the Link check, code USERID=(aor region userid) on the Sessions definition installed on the AOR, or code SECURITYNAME=(aor region userid) on the Connection definition installed on the AOR. This is known as equivalent systems. Thus, when the Link check is made, it is discovered that the Link userid (derived from either USERID or SECURITYNAME) is the AOR region userid itself. In this scenario, the Link check is bypassed because the region is checking against itself.
Product Synonym
CICS/TS CICSTS CICS TS CICS Transaction Server
Was this topic helpful?
Document Information
Modified date:
26 March 2024
UID
dwa1501642