Troubleshooting
Problem
INSUFFICIENT ACCESS AUTHORITY errors on TWSz resource DDIC or DDICT
Symptom
Users may be denied access to TWSz functions even though they have authority to all required known TWSz FIXED RESOURCES and SUBRESOURCES. Error messages found in logs of z/OS system security product indicating insufficient authority to access resource DDIC or resource DDICT.
Cause
The DDIC resource is the TWSz internal data dictionary. This resource is supposed to be invisible to the user and is completely undocumented.
Environment
Under RACF, the default processing is that if a resource is not defined, then no one cares about it and all access is granted. However, if a default profile is defined to the TWSz OPCCLASS denying all access unless explicitly granted, then the TWSz DDIC class is "revealed" and access must be granted to it. Also, some non-IBM z/OS system security products take the opposite default, and if a resource is undefined, all access is automatically denied.
APAR PQ71375 was created in February of 2003 to either remove the un-needed access checking to the DDIC resource or to document that resource. that APAR was closed FIN (fix in future release), and as of December of 2013, no action has yet been taken.
Diagnosing The Problem
Any time a TWSz ISPF dialog user, or an attempted connection to the TWSz Controller through the zConnector, is rejected with a security violation against TWSz FIXED RESOURCE DDIC.
Resolving The Problem
Create a security profile for TWSz FIXED RESOURCE DDIC and grant a universal access of READ.
Was this topic helpful?
Document Information
Modified date:
13 September 2019
UID
swg21623957