Skip to Main Content
IBM Z Software


This portal is to open public enhancement requests against IBM Z Software products. To view all of your ideas submitted to IBM, create and manage groups of Ideas, or create an idea explicitly set to be either visible by all (public) or visible only to you and IBM (private), use the IBM Unified Ideas Portal (https://ideas.ibm.com).


Shape the future of IBM!

We invite you to shape the future of IBM, including product roadmaps, by submitting ideas that matter to you the most. Here's how it works:

Search existing ideas

Start by searching and reviewing ideas and requests to enhance a product or service. Take a look at ideas others have posted, and add a comment, vote, or subscribe to updates on them if they matter to you. If you can't find what you are looking for,

Post your ideas
  1. Post an idea.

  2. Get feedback from the IBM team and other customers to refine your idea.

  3. Follow the idea through the IBM Ideas process.


Specific links you will want to bookmark for future use

Welcome to the IBM Ideas Portal (https://www.ibm.com/ideas) - Use this site to find out additional information and details about the IBM Ideas process and statuses.

IBM Unified Ideas Portal (https://ideas.ibm.com) - Use this site to view all of your ideas, create new ideas for any IBM product, or search for ideas across all of IBM.

ideasibm@us.ibm.com - Use this email to suggest enhancements to the Ideas process or request help from IBM for submitting your Ideas.

Status Future consideration
Created by Guest
Created on Jul 27, 2020

remove systematic access to SYS1.PARMLIB by the CICS translator

with CICS TS 5.5 - the translator DFHECP1$ read SYS1.PARMLIB
even if the DFHAPIR member is in a "user.PARMLIB" it has read access to the SYS1.PARMLIB - This generates security errors because this PDS is not accessible for developers.

This is not blocking, but it does not allow the use of the new DFHAPIR functions.

Idea priority Medium
  • Guest
    Reply
    |
    Sep 8, 2023

    We also have SYS1.PARMLIB restricted as described in the following STIG:

    "STIG: IBM z/OS RACF Security Technical Implementation Guide - SYS1.PARMLIB contains the parameters that control audit configuration. Unauthorized access could result in the compromise of the operating system environment, ACP, and customer data. If the ESM data set rules for SYS1.PARMLIB allow inappropriate (e.g., global READ) access, this is a finding."

    Also, if a compile job tries to access SYS1.PARMLIB and fails, the resulting compile gets a free ride on the DFHAPIR rules. That should be closed as well. If we say we have DFHAPIR rules and they can't be accessed, the entire compile should be aborted (perhaps allow the compile but don't generate any object).



  • Guest
    Reply
    |
    Mar 7, 2023

    Really does not make sense to open up the SYS1.PAMLIB to everyone needing to compile CICS programs, even if for just read. Would be much cleaner to have a DD to point to a parmlib and member that would or would not have the DFHAPIR member, and not get a security violation, ya'll do this for PLT programs. And why not a ASM XOPTS(xx) parameter to turn it off if not in use.

  • Guest
    Reply
    |
    Oct 14, 2022

    Our Corporate Security and Auditors prohibit access to SYS1.PARMLIB by unauthorized personnel. Our SYS1.PARMLIB access is set to UACC(NONE), with a few specific RACF Groups able to read it (CICS SYS PROGS, DB2 SYS, MQ SYSPROGS. The development community and Non SYS PROGS should not be able to view SYS1.PARMLIB.

    .

    The problem I see is the two Translator methodologies. Our Development team prefers a Job Step Transalation while Change Control uses the Integrated Translator.

    .

    Would prefer to see a DFHAPIR DD statement managed by the CICS Systems Programmer for both types of Translators. ANd should NOT be overriden by a developer. The presence of a // DFHAPIR DD statement indicates that DFHAPIR checking would be performed. Possibly a DFHAPIR option for the Translator.

    .

  • Guest
    Reply
    |
    Feb 14, 2022

    IBM would like to understand more about why some users would have access to some data sets in the parmlib concatenation and not others. Can you provide a specific example of sensitive information in a parmlib member (specific members and parameters) that can only be discovered by viewing the parmlib member?
    If you would be willing to provide some more information on this, that would be helpful. Thank you.

  • Guest
    Reply
    |
    Feb 7, 2022

    Our organisation has locked down (UACC=NONE) and restricted SYS1.PARMLIB to MVS Support in the ACL. Developer access not allowed for security reasons.

  • Guest
    Reply
    |
    Feb 5, 2022

    Same - Audit/Corporate Security exist in our environment. The SYS1.PARMLIB access, as it is UACC(NONE), with only a few specific RACF Groups able to READ it. Sensitive PARMs that SYS1.PARMLIB houses (that the general public should not be able to view). In addition customized members is added to non IBM PARMLIB datasets to improve software RSU rolled out process.

  • Guest
    Reply
    |
    Sep 10, 2021

    We have the same issue with SYS1.PARMLIB access, as it is UACC(NONE), with only a few specific RACF Groups able to READ it. This setting is required by our Audit/Corporate Security areas, due to other sensitive PARMs that SYS1.PARMLIB houses (that the general public should not be able to view).

    I would like to have IBM update CICS/TS's 'DFHAPIR logic' as follows:
    -allow a //DFHAPIR DD statement to be added to the batch CICS program Compile job.
    (such as //DFHAPIR DD DISP=SHR,DSN=CICS.PARMLIB )
    -IBM/CICS to update CICS/TS software so that *IF* a //DFHAPIR is coded, then the CICS Translator would NOT use the z/OS PARMLIB concatenation, but whatever dataset(s) appear on the //DFHAPIR DD statement.
    -If not , it would continue to use the z/OS PARMLIB concatenation.

  • Guest
    Reply
    |
    Nov 30, 2020

    This item is not in our plans but is being kept in our backlog.

  • Guest
    Reply
    |
    Nov 3, 2020

    Correction: although CICS supports the DFHTABLE DD, the DFHAPIR parmlib member is not supported through DFHTABLE. I'm sorry for any confusion.

    We would still like to understand more about why some users would have access to some of the data sets in the parmlib concatenation and not others. It would be helpful if you could provide more information about that.

  • Guest
    Reply
    |
    Sep 23, 2020

    The IEFPRMLB service that is used by CICS requires access to the entire Parmlib concatenation. Unfortunately, if users do not have access to some of the data sets in the Parmlib concatenation, attempting to access the Parmlib concatenation will result in an error.
    The CICS translator supports coding a specific data set for these options via the DFHTABLE DD, which could point to a specific data set (and could be the same "user.PARMLIB" data set that is in the concatenation.)

    IBM is likely to decline this RFE since the DFHTABLE DD can be used instead. However, IBM would first like to understand why some users would have access to some data sets in the parmlib concatenation and not others. If you would be willing to provide some more information on this, that would be helpful. Thank you.

  • Guest
    Reply
    |
    Sep 22, 2020

    Due to processing by IBM, this request was reassigned to have the following updated attributes:
    Brand - Servers and Systems Software
    Product family - z Systems Software
    Product - z/OS
    Component - BCP_General
    Operating system - IBM z/OS
    Source - None

    For recording keeping, the previous attributes were:
    Brand - Servers and Systems Software
    Product family - Transaction Processing
    Product - CICS Transaction Server
    Component - Other
    Operating system - IBM z/OS
    Source - None

  • Guest
    Reply
    |
    Sep 21, 2020

    This is not something CICS could solve on its on its own. CICS is using a standard IEFPRMLB macro to invoke a z/OS service to read parmlib. Perhaps a zOS change could be made for example a LOG=NO option. In which case if not authorised it returns a not found response, similar to the way in CEMT and CPSM we ignore any resources in a browse which we are not authorised to read. We don't issue ICH408I and it is not a security vulnerability. If such a change were made, then CICS could exploit it.

    The RFE will be transferred to z/OS for consideration.