This is an IBM Automation portal for Cloud Platform products. To view all of your ideas submitted to IBM, create and manage groups of Ideas, or create an idea explicitly set to be either visible by all (public) or visible only to you and IBM (private), use the IBM Unified Ideas Portal (https://ideas.ibm.com).
Shape the future of IBM!
We invite you to shape the future of IBM, including product roadmaps, by submitting ideas that matter to you the most. Here's how it works:
Search existing ideas
Start by searching and reviewing ideas and requests to enhance a product or service. Take a look at ideas others have posted, and add a comment, vote, or subscribe to updateson them if they matter to you. If you can't find what you are looking for,
Post your ideas
Post an idea.
Get feedback from the IBM team and other customers to refine your idea.
Follow the idea through the IBM Ideas process.
Specific links you will want to bookmark for future use
Liberty zOS - improve process to determine when mapped userid does not have access to APPL
in Liberty on zOS, when authenticating to an application using a client certificate, the client certificate is mapped to a RACF user id.
To be able to invoke the application, the mapped RACF user id needs to have READ access to the APPL class.
The problem is that if the mapped user id does not have access then you get no RACF message showing the security violation.
If you trace in Liberty the trace message is not overly helpful as it shows that "null" has no access as in this example:
[1/11/18 3:35:41:410 GMT] 0000002a SAFServiceRes < getMessage Exit CWWKS2907E: SAF Service IRRSIA00_CREATE did not succeed because user null has insufficient authority to access APPL-ID EDZCWAZ. SAF return code 0x00000008. RACF return code 0x00000008. RACF reason code 0x00000020.
The "null" in the above message, is misleading, as it is really the mapped user id that does not have access to the APPL class.
Current way this works does not return the mapped user id back to Liberty, so it cannot show the mapped user id that did not have access, but there is also no RACF message.
Would like to see change done so that at least the trace message shows that the mapped user id did not have access to the APPL class.
Do not place IBM confidential, company confidential, or personal information into any field.