A fix is available
APAR status
Closed as program error.
Error description
The difference in behaviour between the releases is due to change in behaviour of the QUERY SECURITY command. At 5.3 QUERY SECURITY resulted in one call to the DFHXSRC (CICS resource checking module) for each access level being queried. At 5.6 an optimised call is done and DFHXSRC is called once to check all the requested access levels. The problem is that the optimised routine for command security checks in DFHXSRC is incorrectly requiring CMDSEC(YES) to be set. The user transaction has CMDSEC(NO) and that causes the call to the ESM to be bypassed and the QUERY SECURITY command to return OK instead of NOTAUTH. Everything appears to work when CEDF is being used because CEDF has CMDSEC(YES) and forces that be used. Raise an APAR so that we can correct the QUERY SECURITY command to not require CMDSEC(YES). return OK instead of NOTAUTH. Everything appears to work when
Local fix
An alternative solution to the problem is to define the transaction with CMDSEC(YES).
Problem summary
**************************************************************** * USERS AFFECTED: All CICS users. * **************************************************************** * PROBLEM DESCRIPTION: QUERY SECURITY always returns OK for * * transactions defined with CMDSEC(NO). * **************************************************************** When an application issues an EXEC CICS QUERY SECURITY RESTYPE('SPCOMMAND') command from a transaction which has CMDSEC(NO) set in its transaction definition, CICS will return 'OK' instead of 'NOTAUTH' even when the user who ran the transaction does not have the correct permissions.
Problem conclusion
CICS has been updated so that CMDSEC(YES) does not have to be set to correctly identify if the user has permission to use a QUERY SECURITY command within a program.
Temporary fix
Comments
APAR Information
APAR number
PH55707
Reported component name
CICS TS Z/OS V6
Reported component ID
5655YA100
Reported release
400
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2023-07-12
Closed date
2023-07-31
Last modified date
2024-08-07
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
UI92956
Modules/Macros
DFHXSRC
Fix information
Fixed component name
CICS TS Z/OS V6
Fixed component ID
5655YA100
Applicable component levels
R400 PSY UI92956
UP23/08/01 P F307
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
[{"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSGMGV","label":"CICS Transaction Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"6.1","Line of Business":{"code":"LOB70","label":"Z TPS"}}]
Document Information
Modified date:
07 August 2024