APAR status
Closed as documentation error.
Error description
Using the DB2 stored procedures DSNACCJF, DSNACCJP, DSNACCJQ, DSNACCJS, and DSNACCUC.
Local fix
This APAR provides a roadmap to five related APARs that survey the new stored procedures included with PTF UQ81110. APAR Contents: APAR II13726: Stored procedure DSNACCJF APAR II13727: Stored procedure DSNACCJP APAR II13728: Stored procedure DSNACCJQ APAR II13729: Stored procedure DSNACCJS APAR II13730: Stored procedure DSNACCUC Terminology: Abbreviation Description ------------ ----------- JCL Job Control Language. JES2, JES3 The job entry subsystems that MVS uses to do work. EMCS Extended Multiple Console Support. MVS Multiple Virtual Storage. Implies MVS/390, MVS/XA, MVS/ESA, and the MVS element of the OS/390 or z/OS operating system. OMVS segment Part of the user profile (in RACF) which contains z/OS UNIX information about the user. RACF Resource Access Control Facility which is a component of the Secure Way Security Server for z/OS. WLM Work Load Manager. Notes on the required RACF authority To execute the CALL statement, the owner of the package or plan that contains the CALL statement must have one or more of the following privileges: - The EXECUTE privilege on the stored procedure - Ownership of the stored procedure - SYSADM authority All the stored procedures described in this document use the __login() function to switch users. This requires daemon authority and if BPX.DAEMON is active, the stored procedures loaded into an address space must have been defined to RACF program control. Otherwise, the following error will be returned: "EDC5139I Operation not permitted". You can define programs from traditional libraries to program control or define the BPX.DAEMON.HFSCTL profile in the facility class so that programs that are loaded from MVS libraries are not checked for program control. To define programs from traditional libraries to program control, you need to: 1. Activate the RACF program control (both access control to load modules and program access to data sets). SETROPTS WHEN(PROGRAM) 2. Define one of the following profiles. A. For a particular program, define a discrete RACF PROGRAM class profile: RDEFINE PROGRAM membername ADDMEM('datasetname'/volser/NOPADCHK) UACC(READ) B. For all members in a data set: RDEFINE PROGRAM * ADDMEM('datasetname'/volser/NOPADCHK) UACC(READ) 3. Refresh the in-storage copy of the PROGRAM profile. SETROPTS WHEN(PROGRAM) REFRESH To set up the BPX.DAEMON.HFSCTL FACILITY class, you need to: 1. Define the resource profile. RDEFINE FACILITY BPX.DAEMON.HFSCTL UACC(NONE) 2. Give READ access to users. PERMIT BPX.DAEMON.HFSCTL CLASS(FACILITY) ID(uuuuuu) ACCESS(READ) SETROPTS RACLIST(FACILITY) REFRESH For more information on BPX.DAEMON and setting up program control, you can refer to the z/OS UNIX System Services Planning manual. The stored procedures DSNACCJP and DSNACCJQ also use the EMCS console to issue JES commands to the console. These two stored procedures use the TSO/E user ID (which is the user ID specified in the user-ID parameter of the stored procedures) as the console name. So one should consider ways to control what an authorized TSO/E user can do during a console session. The security administrator can define a RACF user profile to control the console attributes of the EMCS console. For example: ADDUSER USER001 OPERPARM(AUTH(SYS)) This example defines the user ID USER001 as an EMCS console with console attributes defined by the OPERPARM keyword. Note that the example includes only the information about console attributes for USER001. For complete information on the RACF ADDUSER command, refer to z/OS Security Server RACF Command Language Reference. Ensure that the user of the EMCS console (which is the user ID specified in the user-ID parameter of the stored procedures) has READ access to a profile in the RACF OPERCMDS class named: MVS.MCSOPER.console-name The following steps can be taken by the RACF security administrator to give users access to the RACF OPERCMDS class: 1. Issue the SETROPTS command to activate the OPERCMDS class: SETROPTS CLASSACT(OPERCMDS) 2. Issue the SETROPTS command to activate generic profiles for the class: SETROPTS GENERIC(OPERCMDS) 3. Issue RDEFINE to establish a profile for MVS.MCSOPER.* : RDEFINE OPERCMDS MVS.MCSOPER.* UACC(NONE) 4. Give the TSO/E user ID access to the class: PERMIT MVS.MCSOPER.* CLASS(OPERCMDS) ID(USER001) ACCESS(READ) 5. Issue the SETROPTS RACLIST command to refresh the OPERCMDS reserve class: SETROPTS RACLIST(OPERCMDS) REFRESH For more information on RACF commands, refer to z/OS SecureWay Security Server RACF Command Language Reference. For more information on the EMCS console refer to z/OS MVS Planning: Operations. The stored procedures DSNACCJP and DSNACCJQ issue the JES commands to cancel, purge or display a job. To protect these JES commands, you need to: 1. Define the resource profile. RDEFINE OPERCMDS jesname.CANCEL.* UACC(NONE) RDEFINE OPERCMDS jesname.STOP.* UACC(NONE) RDEFINE OPERCMDS jesname.DISPLAY.* UACC(NONE) 2. Give UPDATE access to users. PERMIT jesname.CANCEL.* ID(uuuuuu) ACCESS(UPDATE) PERMIT jesname.STOP.* ID(uuuuuu) ACCESS(UPDATE) PERMIT jesname.DISPLAY.* ID(uuuuuu) ACCESS(READ) SETROPTS RACLIST(OPERCMDS) REFRESH To make sure that the related messages are always received by the EMCS console, provide the command ALTUSER userID OPERPARM(ROUTCODE(ALL) AUTH(INFO)) for the user under whose authority the stored procedures will be run. ===========================================================
Problem summary
A brief user guide for the stored procedures DSNACCJF, DSNACCJP, DSNACCJQ, DSNACCJS, and DSNACCUC is required
Problem conclusion
A brief user guide is provided
Temporary fix
Comments
APAR Information
APAR number
II13698
Reported component name
PB LIB INFO ITE
Reported component ID
INFOPBLIB
Reported release
001
Status
CLOSED DOC
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2003-10-08
Closed date
2003-11-26
Last modified date
2003-11-26
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Applicable component levels
[{"Business Unit":{"code":null,"label":null},"Product":{"code":"SG19O","label":"APARs - MVS environment"},"Platform":[{"code":"PF054","label":"z\/OS"}],"Version":"001"}]
Document Information
Modified date:
09 September 2020