User has insufficient authority to access a resource

Now let us consider user USR001, who has signed on successfully with current connect group GRP001. User USR001 attempts unsuccessfully to use transaction CEMT, which is protected by profile CAT2 in class GCICSTRN (the resource group class for CICS transactions), because XTRAN=YES is specified in the CICS system initialization parameters.
  1. The terminal user received the following CICS message:
    DFHAC2033 26/09/95 15:18:44 CICSSYS1 You are not authorized to use
    transaction CEMT. Check that the transaction name is correct.
  2. A RACF ICH408I message is sent to the CICS region's job log:
    ICH408I USER(USR001  ) GROUP(GRP001  ) NAME(AUSER         )
    ICH408I   CEMT CL(TCICSTRN)
    ICH408I   INSUFFICIENT ACCESS AUTHORITY
    ICH408I   ACCESS INTENT(READ   )  ACCESS ALLOWED(NONE   )

    This message indicates that user USR001, whose name as recorded in the RACF user profile is AUSER, and whose current RACF connect group is GRP001, attempted to use the CEMT transaction. To do this, AUSER needs to have at least READ access to the profile protecting the CEMT transaction. However, RACF determined that AUSER had no access authority.

  3. A CICS message is sent to the CSCS transient data queue:
    DFHXS1111 26/09/95 13:30:41 CICSSYS1 CEMT Security violation
              by user USR001 at netname D2D1 for resource CEMT in class
              TCICSTRN. SAF codes are (X'00000008',X'00000000'). ESM codes
              are (X'00000008',X'00000000').
    The following message is also sent to the CSMT transient data queue:
    DFHAC2003 26/09/95 15:18:44 CICSSYS1 Security violation has been
    detected term id = D2D1, trans id = CEMT, userid = USR001.
  4. Which profile protects CEMT?

    It appears from the ICH408I message that profile CEMT in class TCICSTRN protects CEMT. However, this is not necessarily the case. A resource group profile (in class GCICSTRN) might protect CEMT. In fact, in this case, there is no profile named CEMT. If a system-SPECIAL or AUDITOR user issues the SEARCH command with CLASS(TCICSTRN) specified, no profile named CEMT would appear.

    To determine which profile was actually used, you must issue the RLIST command with the RESGROUP operand as follows:
    RLIST member-class resource-name RESGROUP
    In this case, issue the following:
    RLIST TCICSTRN CEMT RESGROUP
    Note: If prefixing is used for this CICS region, specify the prefix on the resource-name in the RLIST command.
    RACF displays the following:
    CLASS      NAME
    -----      ----
    TCICSTRN   CEMT
    GROUP CLASS NAME
    ----- ----- ----
    GCICSTRN
    RESOURCE GROUPS
    -------- ------
    CAT2
    The profiles in class GCICSTRN that protect CEMT are shown under RESOURCE GROUPS in the command output. In this case, only one profile (CAT2) protects profile CEMT.
    Note: If a profile in class TCICSTRN protected CEMT, that profile's contents would be added to the output of RLIST.
  5. To determine how profile CAT2 protects CEMT, list that profile with the AUTHUSER operand specified on the RLIST command:
    RLIST GCICSTRN CAT2 AUTHUSER
    RACF displays the following:
    CLASS      NAME
    -----      ----
    GCICSTRN   CAT2
    MEMBER CLASS NAME
    ------ ----- ----
    TCICSTRN
    RESOURCES IN GROUP
    --------- -- -----
    CDBC
    CDBI
    CBRC
    CEDA
    CEMT
    CETR
    LEVEL  OWNER      UNIVERSAL ACCESS  YOUR ACCESS  WARNING
    -----  --------   ----------------  -----------  -------
    ⋮
    NOTIFY
    ------
    NO USER TO BE NOTIFIED
    USER      ACCESS   ACCESS COUNT
    ----      ------   ------ -----
    DEPTA     ALTER       000000
    USR001    NONE        000000
    -------- -------  ------------ -------- --------------------------
    NO ENTRIES IN CONDITIONAL ACCESS LIST