PI98215: RACFSYNC=YES BUT CACHED USER TOKENS NOT INVALIDATED IF THEY WERECREATED BY A ADD_USER_VIA_ICRX REQUEST.

Obtain the fix for this APAR.

APAR status

• Closed as program error.

Error description

• When specifying the CICS SIT parameter RACFSYNC=YES,all cached
  user tokens for the user ID should be invalidated.
  
  This invalidation is not done if the user token was created by
  an ADD_USER_VIA_ICRX request for a distributed identity.
  

Local fix

• N/A
  

Problem summary

• ****************************************************************
  * USERS AFFECTED: All users using distributed identities.      *
  ****************************************************************
  * PROBLEM DESCRIPTION: A cached user token representing a user *
  *                      defined using ICRX is not invalidated   *
  *                      when an ENF event is generated for the  *
  *                      userid by an explicit REVOKE of that    *
  *                      userid or CONNECT/REMOVE the userid     *
  *                      from a RACF group.                      *
  ****************************************************************
  In the reported problem, the user had RACFSYNC=YES coded as a
  SIT parameter.  The effect of this is that when CICS receives
  an ENF type 71 event from RACF (when a CONNECT, REMOVE or REVOKE
  command changes a users resource authorisation) the associated
  cached user token is invalidated.  This does not currently work
  if the user/ID was defined via an ICRX.
  
  DFHUSAD places ID user token entries into USD1, USD2, USD3 and
  USD4 but only scans USD1 as part of the token invalidation
  process. The ICRX entries did not have a USD1 entry.
  

Problem conclusion

• DFHUSAD has been amended to correctly invalidate cached user
  tokens where the ID was added via ICRX and when an ENF event is
  received due to when RACFSYNC=YES is specified.
  

Temporary fix

Comments

• ×**** PE18/11/09 FIX IN ERROR. SEE APAR PH05092  FOR DESCRIPTION
  

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

  UI59497 UI59498

Modules/Macros

• DFHUSAD
  

Fix information

• Fixed component name

  CICS TS Z/OS V5

• Fixed component ID

  5655Y0400

Applicable component levels

• R000 PSY UI59497

     UP18/11/06 P F811

• R100 PSY UI59498

     UP18/11/06 P F811

Fix is available

• Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.