by Antonyraj85 » Fri Jul 23, 2010 2:50 am
Hi,
Finally we got the solution for Unix Service Access - W_GETIPC
For the message
ICH408I USER(PRCOMS ) GROUP(PRCOMGRP) NAME(PARK RIDGE COMS )
01000F02 CL(IPCOBJ ) ID(0000000004)
INSUFFICIENT AUTHORITY TO W_GETIPC
ACCESS INTENT(R--) ACCESS ALLOWED(OTHER ---)
EFFECTIVE UID(0000000950) EFFECTIVE GID(0000002100)
No profiles are allowed in a number of Unix related classes, such as
The following classes are defined only for auditing z/OS UNIX security
events and are not used for authorization checking:
~
o DIRACC
o DIRSRCH
o FSOBJ
o FSSEC
o IPCOBJ
o PROCACT
o PROCESS
~
No profiles can be defined in these classes. They are used to define the
auditing options for z/OS UNIX security events. The classes do not need
to be active to control auditing.
~
To prevent these messages (and related SMF records),
you can use SETR LOGOPTIONS NONE for IPCOBJ.
As you are dealing with IPCOBJ (in the above message), this is
about the only way, and here is the command.
SETR LOGOPTIONS(NEVER(IPCOBJ))
~
There is also a design change request, with development,
MR0923055952, that indicates:
'Currently, during IPC processing, numerous RACF violation messages
against the class IPCOBJ can get written to the system log. These
appear to be extraneous, since the user appears to get to the resources
they need. The only current way to avoid these messages is to turn off
logging completing for this class. This is unacceptable to auditors who
expect violation messages to record attempts at resources one is not
authorized to and since there appears to be no way to grant access to
the resources that are being indicated as being violated, this is also
extremely confusing.'
So some action may be taken, in the future, to change this. If you wish
I'd be happy to add you as an interested party to this DCR.