Explanation of the mechanics of the Verify Permit (AU.V) option and what selection criteria the report is based on.
Resolving the problem
The CARLa command used for this report is VERIFY PERMIT. Below you will find an excerpt from the manuals of the VERIFY PERMIT command. You can find more info on the VERIFY commands in the CARLa Command Language chapter of the of the zSecure Suite: Admin and Audit for RACF User Reference Manual.
Verify that each of the following is defined as a user or a group:
- id entry in a standard or conditional access list
- NODES member
- superior group
- notify field
- STUSER and STGROUP specification other than =MEMBER in a profile with a generic first qualifier and certain APPLDATA fields.
Also verify that users in keys of specially defined profiles
(JESJOBS CANCEL.node.userid.jobname, for example) and data set profiles exist.
This check pertains to the following classes:
- CICS: TCICSTRN, GCICSTRN, DCICSDCT, ECICSDCT, FCICSFCT, HCICSFCT, ACICSPCT, BCICSPCT, JCICJCT, KCICSJCT, MCICSPPT, NCICSPPT, PCICSPSB, QCICSPSB, SCICSTST, UCICSTST, CCICSCMD, VCICSCMD
- JES: JESJOBS, JESSPOOL
- VM: VMCMD, VMRDR, VMBATCH, VMCONECT, VMEVENT, VMXEVENT
If the CKRCMD file has been allocated, commands are generated for the following:
- Delete permits, NODES members and profiles, STARTED user, groups and profiles that refer to non-existing ids.
- Change those OWNER, RESOWNER, NOTIFY, SUPGROUP and verified APPLDATA fields that
refer to non-existing ids.
If a CKFREEZE is supplied, resource deletion is implied as well. That is, the data sets covered by the profiles are removed as well.
The VERIFY PERMIT command is mutually exclusive with the COPY, MOVE, or REMOVE commands.
No commands and CKR0026 messages will be generated to change non-existing connect owners if SUPPRESS CONNECTOWNER has been specified. The reference count for undefined ids in message CKR0068 is not altered; undefined connect owners are still counted here.
|Security||IBM Security zSecure Audit for RACF||Not Applicable||z/OS||Enterprise|