If as a SCLM administrator you encounter authority problems, the
method shown here should help you to resolve your problems.
- For the SCLM project/alternate with which you are having problems,
set up an XFACILIT resource in this format with a UACC of READ:
SCLM.SECDBG.ON.project.alternate
where:
- project
- The SCLM project name to be debugged.
- alternate
- The SCLM alternate project name to be debugged.
Figure 1 shows the XFACILIT SECDBG profile.
Figure 1. XFACILIT SECDBG profileCLASS NAME
----- ----
XFACILIT SCLM.SECDBG.ON.PRJ0120.* (G)
GROUP CLASS NAME
----- ----- ----
GXFACILI
LEVEL OWNER UNIVERSAL ACCESS YOUR ACCESS WARNING
----- -------- ---------------- ----------- -------
00 SCLM READ READ NO
INSTALLATION DATA
-----------------
NONE
APPLICATION DATA
----------------
NONE
Note: Once the RACF® resources
have been refreshed, debugging information is displayed for every
person or job which accesses the project/alternate.
- After the RACF resource
rules have been refreshed, SCLM displays information like that shown
in Figure 2.
Figure 2. SCLM security debug informationFLMC0SVI: SCLM.SECSUB.OFF.PRJ0120.PRJ0120
ACCESS = READ
SEC00RC= 8
SAFRC1 = 8
SAFRC2 = 8
SAFRE = 0
FLM085 Security error. RACROUTE REQ=AUTH, SAF RC=08, RACF RC=08, RACF RS=00
FLMC0SVI: SCLM.SECSVC.OFF.PRJ0120.PRJ0120
ACCESS = READ
SEC00RC= 0
SAFRC1 = 0
SAFRC2 = 0
SAFRE = 0
FLMC0SVI: SCLM.SECDSN.OFF.PRJ0120.PRJ0120
ACCESS = READ
SEC00RC= 0
SAFRC1 = 0
SAFRC2 = 0
SAFRE = 0
FLMS1II: SCLM Security Status:
Global = ON
Dataset = OFF
Service = OFF
Subproject = ON
The information as displayed in Figure 2 shows the set up of the SCLM
security. You can see that SCLM attempted to read the XFACILIT resource
SCLM.SECSUB.OFF.PRJ012.PRJ0120 to determine if subproject security
was switched off. The RC=8 indicates that the SCLM did not find a
subproject XFACILIT resource or, if it exists, it has a UACC of NONE.
Hence, subproject security is active.
The next two calls were
successful, showing that SCLM DSN security and SCLM service security
are disabled.
- Get the user to continue and reproduce the problem. You should
see more debugging information relating to the error, like that shown
in Figure 3.
Figure 3. Additional SCLM security debug informationFLMC0SVI: SCLM.SUB.PRJ0120.PRJ0120.VISA.COBOL
ACCESS = READ
SEC00RC= 0
SAFRC1 = 8
SAFRC2 = 8
SAFRE = 0
FLM085 Security error. RACROUTE REQ=AUTH, SAF RC=08, RACF RC=08, RACF RS=00
FLMC0SVJ: rc 24 subproj=COBOL
From the above, you now know it is the XFACILIT resource
that is causing the problem.
- Go into RACF General Resource
profiles (option 2) and display the resource by specifying option
'D' Display profile contents:
RACF - GENERAL RESOURCE SERVICES - DISPLAY
OPTION ===>
ENTER THE FOLLOWING PROFILE INFORMATION:
CLASS ===> XFACILIT
PROFILE ===> SCLM.SUB.PRJ0120.PRJ0120.VISA.COBOL
<==end of data
NOTE: Embedded Blanks are NOT ALLOWED in class or profile names.
The profile name may be case sensitive. View the help and
select PROFILE NAME for more detail.
- Type in YES in the ACCESS LIST selection
field:
RACF - DISPLAY GENERAL RESOURCE PROFILE
COMMAND ===>
CLASS: XFACILIT
PROFILE _ SCLM.SUB.PRJ0120.PRJ0120.VISA.COBOL
Enter YES to select a profile type:
___ DISCRETE ___ GENERIC ___ NOGENERIC
Enter YES to select one or more of the following:
___ RESOURCE GROUP ___ STDATA ___ ICTX DATA
YES ACCESS LIST ___ SECURED SIGNON
___ HISTORY ___ SYSTEMVIEW
___ STATISTICS ___ KERBEROS
___ TVTOC ___ LDAP PROXY
___ SESSION ___ EIM
___ DLF DATA ___ CDTINFO
___ NO RACF
___ NO YOUR-ACCESS
- Press Enter. SCLM displays the XFACILIT resource:
CLASS NAME
----- ----
XFACILIT SCLM.SUB.PRJ0120.*.VISA.* (G)
GROUP CLASS NAME
----- ----- ----
GXFACILI
LEVEL OWNER UNIVERSAL ACCESS YOUR ACCESS WARNING
----- -------- ---------------- ----------- -------
00 SCLM NONE NONE NO
INSTALLATION DATA
-----------------
NONE
APPLICATION DATA
----------------
NONE
SECLEVEL
--------
NO SECLEVEL
CATEGORIES
----------
NO CATEGORIES
SECLABEL
--------
NO SECLABEL
AUDITING
--------
FAILURES(READ)
GLOBALAUDIT
-----------
NONE
NOTIFY
------
NO USER TO BE NOTIFIED
USER ACCESS
---- ------
USERS2 UPDATE
ID ACCESS CLASS ENTITY NAME
-------- ------- -------- ---------------------------------------
NO ENTRIES IN CONDITIONAL ACCESS LIST
Notice that, even though you entered a fully-qualified
resource, RACF returned the
actual resource which secures that resource, SCLM.SUB.PRJ0120.*.VISA.*.
In
this case, the user USERS1 did not have access to the subproject VISA.