Access by revoked RACF userid

Thu, 04 Jul 2002 08:08:59 -0700


Dear all,

Working in a client/server-environment using mqseries, the user-password is validated once (using a queue with universal UPDATE and a corresponding CICS-transaction that executes a RACROUTE REQUEST=VERIFY). Afterwards, the userid needs the proper authorizations when accessing the application queues on the mainframe. The MQ-master-address space will create an ACEE for the user (RACROUTE REQUEST=VERIFY, ENVIRON=CREATE, USERID=userid, PASSSCHK=NO) and for each (new) queue accesses, a resource validation takes place (RACROUTE REQUEST=FASTAUTH, CLASS=MQQUEUE, ENTITY=queue=name, ACEE=useracee).
For performance reaons, the MQ-master address space keeps track of the resources already accessed.
Using the commands RVERIFY USERID(userid) or ALTER SECURITY TIMEOUT(0) the corresponding or all ACEE's are deleted (RACROUTE REQUEST=VERIFY, ENVIRON=DELETE, USERID=userid).

However, a user that has been manually revoked after the initial logon can still access the queues that are found in the user's history. When he tries to access a new queue, the MQ-master-address space tries to create a new ACEE but fails with the message  ICH408I LOGON/JOB INITIATION - REVOKED USER ACCESS ATTEMPT.

Does anybody know how to clear the userid's history so that the userid will be blocked from using the queues?
Or is there an alternate way to stop the revoked userid from acccessing the queues?

Regards,
Fons Heirbaut
Seurity Officer
AXA BANK Belgium

__________________________________________
AXA Bank n.v.      Security Desk
Postcode: B2Z/650 - Site Berchem  
Tel.:        +32 (0)3 286 21 93
Fax:        +32 (0)3 286 28 99
E-mail:        [EMAIL PROTECTED]
          [EMAIL PROTECTED]
This message may contain confidential information destined to be read only by the intended recipient.  No other persons should read, use, publish or reproduce the content of this message.  If you receive this message by  mistake, please notify the sender immediately.  The information contained in this message represents the personal opinions of the individual that sent it and should not be construed as representing the position of the AXA Group.

Reply via email to