System authorization facility (SAF) responses to the TS server
If the security profile for a TS pool cannot be retrieved, SAF neither grants nor refuses the access request. In this situation:
Access to the TS pool, either by a CICS region or by the TS server itself,
is rejected if:
- A security manager is installed, but is either temporarily inactive or inoperative for the duration of the MVS™ image. This is a fail-safe action, on the grounds that, if the security manager is active, it might retrieve a profile that does not permit access to the TS pool.
Access to the TS pool, either by a CICS region or by the TS server itself,
is accepted if:
- There is no security manager installed, or
- There is an active security manager, but the FACILITY class is inactive, or there is no profile in the FACILITY class. The access request is allowed in this case because there is no evidence that you want to control access to the TS server.
Access is permitted to any TS server without a specific DFHXQ.poolname profile, or an applicable generic profile. No messages are issued
to indicate this. To avoid any potential security exposures, you can use generic
profiles to protect all, or specific groups of, TS servers. For example, specifying:
RDEFINE FACILITY (DFHXQ.*) UACC(NONE)