z/OS Security Server RACF Messages and Codes
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


ICH408I

z/OS Security Server RACF Messages and Codes
SA23-2291-00

ICH408I
INSUFFICIENT AUTHORITY TO syscall-name [CMD(subcommand)] [: UNABLE TO PROCESS ACL] [: SECURITY LABEL FAILURE]

Explanation

This error occurs when RACF® detects an attempt to specify an z/OS UNIX function for which the user does not have authority. Syscall-name identifies the z/OS UNIX callable service that invoked RACF. Subcommand identifies the subcommand of syscall-name, where appropriate. If present, subcommand is either IPC_RMID or IPC_SET. The text ":UNABLE TO PROCESS ACL" is displayed if a file access check detected that an ACL exists for the file, but it cannot be retrieved. In this case, the "ACCESS INTENT ...ACCESS ALLOWED..." portion of ICH408I is not displayed. This most likely indicates that a release level mismatch exists among nodes in a SYSPLEX. For example, if an ACL is created for a file by an uplevel node, access attempts to this file from a downlevel node fails with this message text. Similarly, if an ACL is created for a file by an uplevel node, and the file system in which it resides is then mounted by a downlevel node, access attempts to this file fails with this message text. The text ": SECURITY LABEL FAILURE", is displayed if the user was running with an inappropriate security label, or the resource did not have a security label when one was required. When subcommand is present in the message, "SECLABEL" is displayed instead of "SECURITY LABEL".

System action

RACF returns an error return code to the invoking system function, which returns an error return code to the application caller or causes the calling task to abend. See z/OS UNIX System Services Programming: Assembler Callable Services Reference to determine the action of the syscall functions.

Programmer response

Provide appropriate information about the failure to the user of your program, based on the function invoked and the return codes received. If "UNABLE TO PROCESS ACL" is displayed, then you must upgrade all nodes in the sysplex to a level of code that supports ACLs. If you require immediate access to the file, try unmounting the file system from the current node, remounting it on an uplevel node, and accessing it from an uplevel node. If a security label failure is indicated, ensure that the resources accessed by your program have the correct security labels.

Note:
  1. If syscall is LOOKUP or OPEN or the class is DIRSRCH, the problem is most likely access to a directory in the indicated path. See information APAR II12593 to examine the problem.
  2. When the message contains the string 'INSUFFICIENT AUTHORITY TO CONSOLE', the user does not have permission to use the authorized features of the z/OS® UNIX System Services _console() or _console2() services.

    Access can be controlled by the BPX.CONSOLE profile in the FACILITY class. For more information, see Setting up the UNIX-related FACILITY and SURROGAT class profiles in z/OS UNIX System Services Planning.

Parent topic: RACF processing messages

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014