IBM Support

PM42117: CPSM GET RECEIVES NOTPERMIT USERID WITH RC 0

A fix is available

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • Customer has a process which periodically inquires on the CPSM
    workload status of a region using CPSM API calls.  Recently he
    had a problem with a user getting a NOTPERMIT USRID condition.
    The CRCK entry indicated the correct RACF profile was checked
    and completed successfully.  However, the PostExec entry showed
    the GET_cmd completed with NOTPERMIT USRID.
    The WABW MAL for the GET request was failing on a remote CMAS
    with an authorization failure.  The customer confirmed this
    user does not have access to this system and feels it should
    not matter, from a business perspective, that a user running on
    System A does not have access to System B.
    Additional Keyword(s) and Symptom(s):
    KIXREVBDB
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED: All CICSPlex SM V4R1M0 and V4R2M0 Users      *
    ****************************************************************
    * PROBLEM DESCRIPTION:    You execute an API program in a      *
    *                      CICSplex which spans LPARs with dif-    *
    *                      fering security environments.  If a     *
    *                      request is rejected by the external     *
    *                      security manager (ESM) in one or more   *
    *                      CMASes, a response of NOTPERMIT and a   *
    *                      reason of USRID is returned to the      *
    *                      API program with no data, even though   *
    *                      the request may have executed success-  *
    *                      fully in other CMASes.                  *
    ****************************************************************
    * RECOMMENDATION: After applying the PTF that resolves this    *
    *                 APAR, all CMASes and MASes must be recycled  *
    *                 to pick up the updated code.  Note that the  *
    *                 restarts do not need to be done at the same  *
    *                 time.                                        *
    ****************************************************************
       When CPSM's Single System Image component does not receive
    the same response for a request from all target systems, the
    most severe response and reason code are propagated to the user.
    If a security validation exception was detected in one or more
    CMASes to which a request was routed, no data is returned to the
    caller even though the request may have executed successfully
    and retrieved data in other targets.
    

Problem conclusion

  •    API modules EYU0XDP1 (XDP1 - API GET Processor), EYU0XDER
    (XDER - First Level MAS API Router), and EYU0ABM0 (ABM0 - First
    Level Batch API Router) were modified to return available data
    which the user is authorized to access, if the response and
    reason indicate that a security exception was detected in one
    or more CMASes to which a request was routed.
       A new CICSPlex SM system parameter (EYUPARM) of SECRPTLVL was
    defined to allow administrators to tailor the response returned
    to the caller if an API request results in a security validation
    exception.  Specifying SECRPTLVL(NONE) causes the API command to
    return a response of OK or NODATA depending on whether data was
    received from other CMASes.  SECRPTLVL(RESPONSE), the default,
    causes the API to return RESPONSE=NOTPERMIT, REASON=USRID.
    SECRPTLVL(DETAIL) results in the generation of a result set of
    MASQRYER resources identifying the system or systems in which
    a request was denied by the external security manager.  MASQRYER
    resources can be retrieved by executing the FETCH command, and
    passing the QUERYERROR parameter.
    

Temporary fix

  • FIX AVAILABLE BY PTF ONLY
    

Comments

APAR Information

  • APAR number

    PM42117

  • Reported component name

    CICS TS Z/OS V4

  • Reported component ID

    5655S9700

  • Reported release

    60M

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2011-06-21

  • Closed date

    2011-08-04

  • Last modified date

    2011-09-01

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

    UK70494 UK70495

Modules/Macros

  •    EYURXLEB EYUTXLPD EYU0ABM0 EYU0UQGQ EYU0XDER
    EYU0XDP1 EYU0XLBV EYU0XLSD EYU0XQGQ
    

Publications Referenced
GC34699501GC34717100   

Fix information

  • Fixed component name

    CICS TS Z/OS V4

  • Fixed component ID

    5655S9700

Applicable component levels

  • R60M PSY UK70494

       UP11/08/09 P F108

  • R70M PSY UK70495

       UP11/08/09 P F108

Fix is available

  • Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.

[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSGMGV","label":"CICS Transaction Server"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"4.1","Edition":"","Line of Business":{"code":"LOB35","label":"Mainframe SW"}},{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"4.1","Edition":"","Line of Business":{"code":"","label":""}}]

Document Information

Modified date:
01 September 2011