If the security profile for a named counter pool cannot be retrieved, SAF
neither grants nor refuses the access request. In this situation:
Access to the named counter pool, either by a CICS region or by the named
counter server itself, is rejected if:
- A security manager is installed, but is either temporarily inactive or
inoperative for the duration of the MVS image. This is a fail-safe action,
on the grounds that, if the security manager is active, it might retrieve
a profile that does not permit access to the named counter pool.
Access to the named counter pool, either by a CICS region or by the named
counter server itself, is accepted if:
- There is no security manager installed, or
- There is an active security manager, but the FACILITY class is inactive,
or there is no profile in the FACILITY class. The access request is allowed
in this case because there is no evidence that you want to control access
to the named counter server.
Access is permitted to any named counter server without a specific DFHCF.
poolname profile, or an applicable generic profile. No messages are issued
to indicate this. To avoid any potential security exposures, you can use generic
profiles to protect all, or specific groups of, named counter servers. For
example, specifying:
RDEFINE FACILITY (DFHNC.*) UACC(NONE)
ensures
that access is allowed only to named counter servers with a more specific
profile to which a named counter server or CICS region is authorized.