z/OS Security Server RACF Messages and Codes
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


IRR416I

z/OS Security Server RACF Messages and Codes
SA23-2291-00

IRR416I
RACF DETECTED AN INVALID NON-EGN DATASET PROFILE NAME. PROFILE profile-name DOES NOT PROTECT THE INTENDED RESOURCES.

Explanation

RACF® detected a profile that was added before the enablement of Enhanced Generic Names (EGN) and that cannot be interpreted as intended under EGN rules. This message identifies the non-EGN generic data set profile name. Under EGN rules, the profile might not protect the resources that it was defined to protect. If this message is issued during processing of a SEARCH or LISTDSD GENERIC request, bad profile names (particularly names 43 and 44 characters in length) might also be displayed and the output is considered unreliable.

For example, suppose the following six generic data set profiles were defined before turning EGN on:

  1 ADDSD 'IBMUSER.IBMUSER.IBMUSER.IBMUSER.U.XX.D.D.*'
  2 ADDSD 'IBMUSER.IBMUSER.IBMUSER.IBMUSER.U.XX.D.DD*'
  3 ADDSD 'IBMUSER.IBMUSER.IBMUSER.IBMUSER.US.XX.D.D.*'
  4 ADDSD 'IBMUSER.IBMUSER.IBMUSER.IBMUSER.US.XX.D.DD*'
  5 ADDSD 'IBMUSER.IBMUSER.IBMUSER.IBMUSER.USE.XX.D.D.*'
  6 ADDSD 'IBMUSER.IBMUSER.IBMUSER.IBMUSER.USE.XX.D.DD*'

Then EGN was enabled and three more generic data set profiles were defined:

      7 ADDSD 'IBMUSER.IBMUSER.IBMUSER.IBMUSER.U.**'
      8 ADDSD 'IBMUSER.IBMUSER.IBMUSER.IBMUSER.US.**'
      9 ADDSD 'IBMUSER.IBMUSER.IBMUSER.IBMUSER.USE.**'

A subsequent SEARCH request would display the following information:

  SEARCH CLASS(DATASET)
  IRR416I RACF DETECTED AN INVALID NON-EGN DATASET PROFILE NAME.
          PROFILE IBMUSER.IBMUSER.IBMUSER.IBMUSER.U.XX.D.D.*
          DOES NOT PROTECT THE INTENDED RESOURCES.
  IRR416I RACF DETECTED AN INVALID NON-EGN DATASET PROFILE NAME.
          PROFILE IBMUSER.IBMUSER.IBMUSER.IBMUSER.U.XX.D.DD*
          DOES NOT PROTECT THE INTENDED RESOURCES.
  IRR416I RACF DETECTED AN INVALID NON-EGN DATASET PROFILE NAME.
          PROFILE IBMUSER.IBMUSER.IBMUSER.IBMUSER.US.XX.D.D.*
          DOES NOT PROTECT THE INTENDED RESOURCES.
  IRR416I RACF DETECTED AN INVALID NON-EGN DATASET PROFILE NAME.
          PROFILE IBMUSER.IBMUSER.IBMUSER.IBMUSER.US.XX.D.DD*
          DOES NOT PROTECT THE INTENDED RESOURCES.
A IBMUSER.IBMUSER.IBMUSER.IBMUSER.U.XX.D.D.*.* (G)
  IRR416I RACF DETECTED AN INVALID NON-EGN DATASET PROFILE NAME.
          PROFILE IBMUSER.IBMUSER.IBMUSER.IBMUSER.U.XX.D.D.*
          DOES NOT PROTECT THE INTENDED RESOURCES.
B IBMUSER.IBMUSER.IBMUSER.IBMUSER.U.XX.D.DD*.* (G)
  IRR416I RACF DETECTED AN INVALID NON-EGN DATASET PROFILE NAME.
          PROFILE IBMUSER.IBMUSER.IBMUSER.IBMUSER.U.XX.D.DD*
          DOES NOT PROTECT THE INTENDED RESOURCES.
C IBMUSER.IBMUSER.IBMUSER.IBMUSER.U.** (G)
D IBMUSER.IBMUSER.IBMUSER.IBMUSER.US.XX.D.D.* (G)
  IRR416I RACF DETECTED AN INVALID NON-EGN DATASET PROFILE NAME.
          PROFILE IBMUSER.IBMUSER.IBMUSER.IBMUSER.US.XX.D.D.*
          DOES NOT PROTECT THE INTENDED RESOURCES.
E IBMUSER.IBMUSER.IBMUSER.IBMUSER.US.XX.D.DD* (G)
  IRR416I RACF DETECTED AN INVALID NON-EGN DATASET PROFILE NAME.
          PROFILE IBMUSER.IBMUSER.IBMUSER.IBMUSER.US.XX.D.DD*
          DOES NOT PROTECT THE INTENDED RESOURCES.
F IBMUSER.IBMUSER.IBMUSER.IBMUSER.US.** (G)
G IBMUSER.IBMUSER.IBMUSER.IBMUSER.USE.XX.D.D.* (G)
H IBMUSER.IBMUSER.IBMUSER.IBMUSER.USE.XX.D.DD* (G)
I IBMUSER.IBMUSER.IBMUSER.IBMUSER.USE.** (G)

RACF command processing might cause the IRR416I message to be issued more than once. However, any time it is issued during a command invocation, the command output must be considered unreliable. In the example above, changes in EGN rules might cause RACF to incorrectly interpret non-EGN profiles (1) and (2) as SEARCH profiles (A) and (B). These profiles no longer cover the intended resources. Even though names (D) and (E) appear correct, with no additional characters at the end, they also do not cover the intended resources and cause IRR416I messages to be issued. EGN profiles (7), (8), and (9) were correctly displayed by SEARCH as (C), (F), and (I). Profiles (G) and (H) follow the same rules under non-EGN and EGN, so they actually protect what they were intended to protect.

System action

RACF processing of the request continues.

Operator response

Report this message to the systems programmer or the RACF security administrator and save the message output.

Programmer response

See "Problem Determination."

Problem determination

This message identifies the bad profile.

An EGN profile, possibly less specific, can be defined to protect the wanted resources; however, the original bad non-EGN profile must still be deleted to prevent further IRR416I messages.

To delete bad profiles:
  1. Use SETROPTS NOEGN to temporarily disable EGN. During this time, there is no other system activity, in order to prevent the creation of generic profiles that can result in additional problems. Under normal circumstances, it is not recommended that EGN be turned off after it is turned on.
  2. Use SEARCH GENERIC CLIST NOMASK NOLIST to create a CLIST containing generic data set profile names.
  3. Edit the CLIST, to find 42- and 43-character names ending in '.*'.
  4. Delete the profiles found.
  5. Use SETROPTS EGN to re-enable EGN.
  6. Define profiles according to EGN rules that protect the resources intended to be protected by the non-EGN profile names.

Routing code

9 and 11

Routing code 11 is only used when a TSO environment is not in effect.

Descriptor code

4

Parent topic: RACF processing messages

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014