Identify unauthorized callers of the IWMSRDRS and IWMSRSRG services

With z/OS® V2R2, the minimum authorization requirements for the callers of Workload Management services IWMSRDRS (Deregister a server for sysplex routing) and IWMSRSRG (Register a server for sysplex routing) are changed.

• Problem state with any PSW key if the server address space to be registered or deregistered is the home address space. If resource BPX.WLMSERVER is defined in the FACILITY class, an unauthorized caller requires access authority to this resource or the IWM.SERVER.REGISTER resource in the FACILITY class.
• If the server to be registered or deregistered is not the home address, one of the following:
  • Supervisor state
  • Program key mask (PKM) allowing at least one of the keys 0-7
  • The caller has at least READ authority to the resource IWM.SERVER.REGISTER in the FACILITY class. If this resource is not defined, READ authority to the FACILITY class resource BPX.WLMSERVER is required.

If the resource is not defined, it is recommended that you identify unauthorized callers that use the IWMSRDRS and IWMSRSRG services to register or deregister an address space other than the caller's home address space. To do so, you can temporarily define the IWM.SERVER.REGISTER resource profile with the WARNING parameter. After the first IPL of z/OS V2R2, RACF issues the following warning message for callers of the macro with insufficient authorization:

ICH408I USER(user) IWM.SERVER.REGISTER CL(FACILITY) 
WARNING: INSUFFICIENT AUTHORITY - TEMPORARY ACCESS ALLOWED

For unauthorized callers, take one of the following steps:

• Change the program so that it no longer calls the IWMSRDRS or IWMSRSRG macro or no longer runs the program.
• Change the caller's authorization to supervisor state or PKM allowing at least one of the keys 0-7.
• Give the user ID associated with the program access authority to the resource profile IWM.SERVER.REGISTER or an appropriate generic profile when generic profile checking is active.