SDSF autorization



All about SAF, RACF, encryption, Firewall, Risk assessment and integrity concepts

SDSF autorization

Postby samb01 » Wed Sep 18, 2013 2:52 pm

Hello,

when i try to delete sysout job by TWS with this commande REXX :

ADDRESS SDSF "ISFACT H TOKEN('"TOKEN.IX"') PARM(NP P)"


after the commande :

TSO PROFILE WTPMSG



There is this message in the log :

ICH70001I OPC      LAST ACCESS AT 10:47:41 ON WEDNESDAY, SEPT
 2013                                                       
$HASP373 VTESTSB1 STARTED - INIT 37   - CLASS O - SYS V012   
IEF403I VRESTQ - STARTED - TIME=10.48.20                   
ICH408I USER(OPC     ) GROUP(UXCP    ) NAME(OPC             
  VGCS.UTRU200..JOB03445.GROUP.1 CL(JESSPOOL)        INSUFFICIENT ACCESS AUTHORITY                             
  FROM *.*.*.*.GROUP*.* (G)                                 
  ACCESS INTENT(ALTER  )  ACCESS ALLOWED(NONE   )           
ISF015I SDSF COMMAND ATTEMPTED '$COJ(3445),OUTGRP=1.1.1     
    ' OPC      REXX                                         


How could i resolve it ?

Thank's for your help.
samb01
 
Posts: 236
Joined: Mon Nov 16, 2009 7:24 pm
Has thanked: 0 time
Been thanked: 0 time

Re: SDSF autorization

 

Re: SDSF autorization

Postby enrico-sorichetti » Wed Sep 18, 2013 3:21 pm

VGCS.UTRU200..JOB03445.GROUP.1 CL(JESSPOOL) INSUFFICIENT ACCESS AUTHORITY


How could i resolve it ?


by contacting Your security group :mrgreen:
cheers
enrico
When I tell somebody to RTFM or STFW I usually have the page open in another tab/window of my browser,
so that I am sure that the information requested can be reached with a very small effort
enrico-sorichetti
Global moderator
 
Posts: 2643
Joined: Fri Apr 18, 2008 11:25 pm
Has thanked: 0 time
Been thanked: 130 times

Re: SDSF autorization

Postby steve-myers » Wed Sep 18, 2013 3:59 pm

Mr. Sorrichetti is correct. User OPC does not have the authority to cancel the output group. The RACF profile is JESSPOOL/*.*.*.*.GROUP*.* Site security will have to update that profile or add a more specific profile. Finally they may tell you it's not something that should be allowed. I won't try to guess how they will respond. They may even delete the profile!
steve-myers
Global moderator
 
Posts: 1885
Joined: Thu Jun 03, 2010 6:21 pm
Has thanked: 4 times
Been thanked: 197 times

Re: SDSF autorization

Postby samb01 » Wed Sep 18, 2013 5:55 pm

Hello,

i a m allow to do it by my own user. But whne the job is submited by TWS, it doesn't work.

There is a membre in the parmlib (ISFPRMUU) where i can see diffent group with that definition :

/**********************************************/
/*  GROUP XDTU                                */
/**********************************************/
 GROUP AUPDT(2),                               
   ILPROC(PROCXDTU),                           
   ACTION(ALL),                                 
   AUTH(I,O,H,DA,PREF,INPUT,LOG,FINDLIM),       
   CMDAUTH(GROUP),                             
   CMDLEV(4),                                   
   CONFIRM(ON),                                 
   CURSOR(ON),                                 
   DADFLT(IN,OUT,TRANS,JOB),                   
   DSPAUTH(GROUP),                             
   GPREF(XDTU*),                               
   HFIELDS(HELDUTA),                           
   IFIELDS(INUT),                               
   ILOGCOL(1),                                 
   LANG(ENGLISH),                               
   PREFIX(GROUP),                               
   VIO(SYSALLDA)                                           
                                                           
/**********************************************/           



XDTU is my RACF Group.

And i notice the TWS RACF Group is not defined in this member. It should be in, don't you think so ?
samb01
 
Posts: 236
Joined: Mon Nov 16, 2009 7:24 pm
Has thanked: 0 time
Been thanked: 0 time

Re: SDSF autorization

Postby dick scherrer » Wed Sep 18, 2013 6:46 pm

Hello,

Suggest you ask your manager or the security admins why this is set up like this.

Might be that no one has recognized this before.
Hope this helps,
d.sch.
User avatar
dick scherrer
Global moderator
 
Posts: 6304
Joined: Sat Jun 09, 2007 8:58 am
Has thanked: 3 times
Been thanked: 91 times

Re: SDSF autorization

Postby samb01 » Wed Sep 18, 2013 7:11 pm

dick scherrer wrote:Might be that no one has recognized this before.


i think so...
samb01
 
Posts: 236
Joined: Mon Nov 16, 2009 7:24 pm
Has thanked: 0 time
Been thanked: 0 time

Re: SDSF autorization

Postby NicC » Thu Sep 19, 2013 1:42 pm

Remember - your userid is NOT TWS's userid. Different authorities therefore apply.
The problem I have is that people can explain things quickly but I can only comprehend slowly.
Regards
Nic
NicC
Global moderator
 
Posts: 2690
Joined: Sun Jul 04, 2010 12:13 am
Location: Pushing up the daisys (almost)
Has thanked: 4 times
Been thanked: 105 times


Return to Mainframe Security

 


  • Related topics
    Replies
    Views
    Last post