IBM Support

II13698: USING THE DB2 STORED PROCEDURES DSNACCJF, DSNACCJP, DSNACCJQ, DSNACCJS, AND DSNACCUC.

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as documentation error.

Error description

  • Using the DB2 stored procedures DSNACCJF, DSNACCJP, DSNACCJQ,
    DSNACCJS, and DSNACCUC.
    

Local fix

  • This APAR provides a roadmap to five related APARs that
    survey the new stored procedures included with PTF UQ81110.
    
    APAR Contents:
    
       APAR II13726: Stored procedure DSNACCJF
       APAR II13727: Stored procedure DSNACCJP
       APAR II13728: Stored procedure DSNACCJQ
       APAR II13729: Stored procedure DSNACCJS
       APAR II13730: Stored procedure DSNACCUC
    
    Terminology:
    
       Abbreviation Description
       ------------ -----------
       JCL          Job Control Language.
       JES2, JES3   The job entry subsystems that MVS uses to
                    do work.
       EMCS         Extended Multiple Console Support.
       MVS          Multiple Virtual Storage. Implies MVS/390,
                    MVS/XA, MVS/ESA,
                    and the MVS element of the OS/390 or z/OS
                    operating system.
       OMVS segment Part of the user profile (in RACF) which
                    contains z/OS UNIX information about
                    the user.
       RACF         Resource Access Control Facility which
                    is a component of the Secure Way Security
                    Server for z/OS.
       WLM          Work Load Manager.
    
    Notes on the required RACF authority
    
    To execute the CALL statement, the owner of the package or
    plan that contains the CALL statement must have one or more
    of the following privileges:
        - The EXECUTE privilege on the stored procedure
        - Ownership of the stored procedure
        - SYSADM authority
    
    All the stored procedures described in this document use
    the __login() function to switch users. This requires
    daemon authority and if BPX.DAEMON is active, the stored
    procedures loaded into an address space must have been
    defined to RACF program control. Otherwise, the following
    error will be returned: "EDC5139I Operation not permitted".
    
    You can define programs from traditional libraries to
    program control or define the BPX.DAEMON.HFSCTL profile in
    the facility class so that programs that are loaded from
    MVS libraries are not checked for program control.
    
    To define programs from traditional libraries to program
    control, you need to:
    1. Activate the RACF program control (both access control
       to load modules and program access to data sets).
       SETROPTS WHEN(PROGRAM)
    2. Define one of the following profiles.
       A. For a particular program, define a discrete
          RACF PROGRAM class profile:
          RDEFINE PROGRAM membername
              ADDMEM('datasetname'/volser/NOPADCHK) UACC(READ)
       B. For all members in a data set:
          RDEFINE PROGRAM *
              ADDMEM('datasetname'/volser/NOPADCHK) UACC(READ)
    3. Refresh the in-storage copy of the PROGRAM profile.
       SETROPTS WHEN(PROGRAM) REFRESH
    
    To set up the BPX.DAEMON.HFSCTL FACILITY class, you need
    to:
    1. Define the resource profile.
       RDEFINE FACILITY BPX.DAEMON.HFSCTL UACC(NONE)
    2. Give READ access to users.
       PERMIT BPX.DAEMON.HFSCTL CLASS(FACILITY)
                                    ID(uuuuuu) ACCESS(READ)
       SETROPTS RACLIST(FACILITY) REFRESH
    
    For more information on BPX.DAEMON and setting up
    program control, you can refer to the z/OS UNIX System
    Services Planning manual.
    
    The  stored procedures DSNACCJP and DSNACCJQ also use
    the EMCS console to issue JES commands to the console.
    
    These two stored procedures use the TSO/E user ID
    (which is the user ID specified in the user-ID parameter
    of the stored procedures) as the console name. So one should
    consider ways to control what an authorized TSO/E user can
    do during a console session.
    The security administrator can define a RACF user
    profile to control the console attributes of the EMCS console.
    For example:
    ADDUSER USER001 OPERPARM(AUTH(SYS))
    
    This example defines the user ID USER001 as an EMCS console
    with console attributes defined by the OPERPARM keyword.
    Note that the example includes only the information about
    console attributes for USER001.
    For complete information on the RACF ADDUSER command,
    refer to z/OS Security Server RACF Command Language Reference.
    
    Ensure that the user of the EMCS console
    (which is the user ID specified in the user-ID parameter
    of the stored procedures) has READ access to a profile in
    the RACF OPERCMDS class named:
      MVS.MCSOPER.console-name
    
    The following steps can be taken by the RACF security
    administrator to give users access to the RACF OPERCMDS class:
    1. Issue the SETROPTS command to activate the OPERCMDS class:
       SETROPTS CLASSACT(OPERCMDS)
    2. Issue the SETROPTS command to activate generic profiles
       for the class:
       SETROPTS GENERIC(OPERCMDS)
    3. Issue RDEFINE to establish a profile for MVS.MCSOPER.* :
       RDEFINE OPERCMDS MVS.MCSOPER.* UACC(NONE)
    4. Give the TSO/E user ID access to the class:
       PERMIT MVS.MCSOPER.* CLASS(OPERCMDS) ID(USER001) ACCESS(READ)
    5. Issue the SETROPTS RACLIST command to refresh the OPERCMDS
       reserve class:
       SETROPTS RACLIST(OPERCMDS) REFRESH
    
    For more information on RACF commands, refer to
    z/OS SecureWay Security Server RACF Command Language Reference.
    For more information on the EMCS console refer to
    z/OS MVS Planning: Operations.
    
    The stored procedures DSNACCJP and DSNACCJQ issue
    the JES commands to cancel, purge or display a job.
    To protect these JES commands, you need to:
    1. Define the resource profile.
       RDEFINE OPERCMDS jesname.CANCEL.* UACC(NONE)
       RDEFINE OPERCMDS jesname.STOP.* UACC(NONE)
       RDEFINE OPERCMDS jesname.DISPLAY.* UACC(NONE)
    2. Give UPDATE access to users.
       PERMIT jesname.CANCEL.* ID(uuuuuu) ACCESS(UPDATE)
       PERMIT jesname.STOP.* ID(uuuuuu) ACCESS(UPDATE)
       PERMIT jesname.DISPLAY.* ID(uuuuuu) ACCESS(READ)
       SETROPTS RACLIST(OPERCMDS) REFRESH
    
    To make sure that the related messages are always received
    by the EMCS console, provide the command
        ALTUSER userID OPERPARM(ROUTCODE(ALL) AUTH(INFO))
    for the user under whose authority the stored procedures
    will be run.
    
    ===========================================================
    

Problem summary

  •  A brief user guide for the stored procedures
    DSNACCJF, DSNACCJP, DSNACCJQ, DSNACCJS, and DSNACCUC is required
    

Problem conclusion

  •  A brief user guide is provided
    

Temporary fix

Comments

APAR Information

  • APAR number

    II13698

  • Reported component name

    PB LIB INFO ITE

  • Reported component ID

    INFOPBLIB

  • Reported release

    001

  • Status

    CLOSED DOC

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2003-10-08

  • Closed date

    2003-11-26

  • Last modified date

    2003-11-26

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

Applicable component levels

[{"Business Unit":{"code":null,"label":null},"Product":{"code":"SG19O","label":"APARs - MVS environment"},"Platform":[{"code":"PF054","label":"z\/OS"}],"Version":"001"}]

Document Information

Modified date:
09 September 2020