z/OS ISPF Software Configuration and Library Manager Guide and Reference
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Resolving authority problems

z/OS ISPF Software Configuration and Library Manager Guide and Reference
SC19-3625-00

If as a SCLM administrator you encounter authority problems, the method shown here should help you to resolve your problems.

  1. For the SCLM project/alternate with which you are having problems, set up an XFACILIT resource in this format with a UACC of READ: 
    SCLM.SECDBG.ON.project.alternate
    where:
    project
    The SCLM project name to be debugged.
    alternate
    The SCLM alternate project name to be debugged.
    Figure 1 shows the XFACILIT SECDBG profile.
    Figure 1. XFACILIT SECDBG profile
    CLASS      NAME
-----      ----
XFACILIT   SCLM.SECDBG.ON.PRJ0120.* (G)

GROUP CLASS NAME
----- ----- ----
GXFACILI

LEVEL  OWNER      UNIVERSAL ACCESS  YOUR ACCESS  WARNING
-----  --------   ----------------  -----------  -------
 00    SCLM           READ               READ    NO

INSTALLATION DATA
-----------------
NONE

APPLICATION DATA
----------------
NONE
    Note: Once the RACF® resources have been refreshed, debugging information is displayed for every person or job which accesses the project/alternate.
  2. After the RACF resource rules have been refreshed, SCLM displays information like that shown in Figure 2.
    Figure 2. SCLM security debug information
    FLMC0SVI: SCLM.SECSUB.OFF.PRJ0120.PRJ0120
    ACCESS = READ
    SEC00RC=  8
    SAFRC1 =  8
    SAFRC2 =  8
    SAFRE  =  0
  FLM085   Security error. RACROUTE REQ=AUTH, SAF RC=08, RACF RC=08, RACF RS=00
 FLMC0SVI: SCLM.SECSVC.OFF.PRJ0120.PRJ0120
    ACCESS = READ
    SEC00RC=  0
    SAFRC1 =  0
    SAFRC2 =  0
    SAFRE  =  0

 FLMC0SVI: SCLM.SECDSN.OFF.PRJ0120.PRJ0120
    ACCESS = READ
    SEC00RC=  0
    SAFRC1 =  0
    SAFRC2 =  0
    SAFRE  =  0

 FLMS1II: SCLM Security Status:
          Global     = ON
          Dataset    = OFF
          Service    = OFF
          Subproject = ON

    The information as displayed in Figure 2 shows the set up of the SCLM security. You can see that SCLM attempted to read the XFACILIT resource SCLM.SECSUB.OFF.PRJ012.PRJ0120 to determine if subproject security was switched off. The RC=8 indicates that the SCLM did not find a subproject XFACILIT resource or, if it exists, it has a UACC of NONE. Hence, subproject security is active.

    The next two calls were successful, showing that SCLM DSN security and SCLM service security are disabled.

  3. Get the user to continue and reproduce the problem. You should see more debugging information relating to the error, like that shown in Figure 3.
    Figure 3. Additional SCLM security debug information
    FLMC0SVI: SCLM.SUB.PRJ0120.PRJ0120.VISA.COBOL
    ACCESS = READ
    SEC00RC=  0
    SAFRC1 =  8
    SAFRC2 =  8
    SAFRE  =  0
  FLM085   Security error. RACROUTE REQ=AUTH, SAF RC=08, RACF RC=08, RACF RS=00
 FLMC0SVJ: rc  24 subproj=COBOL

    From the above, you now know it is the XFACILIT resource that is causing the problem.

  4. Go into RACF General Resource profiles (option 2) and display the resource by specifying option 'D' Display profile contents: 
                           RACF - GENERAL RESOURCE SERVICES -  DISPLAY
OPTION ===>

ENTER THE FOLLOWING PROFILE INFORMATION:

   CLASS     ===> XFACILIT

   PROFILE   ===> SCLM.SUB.PRJ0120.PRJ0120.VISA.COBOL


                         <==end of data

      NOTE: Embedded Blanks are NOT ALLOWED in class or profile names.
            The profile name may be case sensitive.  View the help and
            select PROFILE NAME for more detail.
  5. Type in YES in the ACCESS LIST selection field: 
                       RACF - DISPLAY GENERAL RESOURCE PROFILE
COMMAND ===>

  CLASS:         XFACILIT
  PROFILE      _ SCLM.SUB.PRJ0120.PRJ0120.VISA.COBOL

 Enter YES     to select a profile type:
   ___  DISCRETE    ___  GENERIC    ___  NOGENERIC

 Enter YES     to select one or more of the following:
   ___  RESOURCE GROUP     ___  STDATA             ___  ICTX DATA
   YES  ACCESS LIST        ___  SECURED SIGNON
   ___  HISTORY            ___  SYSTEMVIEW
   ___  STATISTICS         ___  KERBEROS
   ___  TVTOC              ___  LDAP PROXY
   ___  SESSION            ___  EIM
   ___  DLF DATA           ___  CDTINFO

   ___  NO RACF
   ___  NO YOUR-ACCESS
  6. Press Enter. SCLM displays the XFACILIT resource: 
    CLASS      NAME
-----      ----
XFACILIT   SCLM.SUB.PRJ0120.*.VISA.* (G)

GROUP CLASS NAME
----- ----- ----
GXFACILI

LEVEL  OWNER      UNIVERSAL ACCESS  YOUR ACCESS  WARNING
-----  --------   ----------------  -----------  -------
 00    SCLM            NONE               NONE    NO

INSTALLATION DATA
-----------------
NONE

APPLICATION DATA
----------------
NONE

SECLEVEL
--------
NO SECLEVEL

CATEGORIES
----------
NO CATEGORIES

SECLABEL
--------
NO SECLABEL

AUDITING
--------
FAILURES(READ)

GLOBALAUDIT
-----------
NONE

NOTIFY
------
NO USER TO BE NOTIFIED


USER      ACCESS
----      ------
USERS2   UPDATE

   ID     ACCESS  CLASS                ENTITY NAME
-------- ------- -------- ---------------------------------------
NO ENTRIES IN CONDITIONAL ACCESS LIST

    Notice that, even though you entered a fully-qualified resource, RACF returned the actual resource which secures that resource, SCLM.SUB.PRJ0120.*.VISA.*.

    In this case, the user USERS1 did not have access to the subproject VISA.

Parent topic: Working with subproject security

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014