Resolving problems when access is denied incorrectly

When a user requires access to a protected resource (such as a CICS® transaction) and RACF® denies the requested access, you will often have to analyze the problem before deciding what action to take.

The basic points to ensure are that:
For each security violation, up to three messages are issued:

If message ICH408I is issued for an authorization failure, RACF is active. The message text itself indicates the userid for which the authorization check was done and the name of the RACF profile that was used for the check.

When issued because of a CICS-originated authorization check, the RACF sends the ICH408I message to the CICS region's job log. Most CICS authorization messages also go to the CSCS transient data queue, except DFHIR and DFHZC messages, which go to the CSMT transient data queue.

Note: You can use the CICS-supplied message domain global user exit, XMEOUT, to reroute CICS-issued authorization messages. (For example, you can send them to the same console as the ICH408I messages.) For programming information about using XMEOUT, see the CICS Customization Guide.

If no profile exists for a particular resource, RACF returns a "profile not found" indication to CICS. CICS issues message DFHXS1111 with a SAF return code of X'00000004' and an ESM code of X'00000000'. No ICH408I message is issued in this case. The RLIST command issues a message stating that no profile was found.

Note: