We have a winner!! Please claim the virtual brew of your choice. To recap the problem, operators were able to call the SR screen, but an attempt to reply failed with "NOT AUTHORIZED FOR CMD". Just that, no other messages or syslog entries at all. None. Nada.
Bob not only nailed the scenario but put me on the path for a simple resolution. I found that there were no ISFSR profiles defined at all. I need to go back to the FM to see where I missed that discussion. But, as I pondered the ISFSR profiles to craft the change commands, I saw how folks were assigned to the groups defined in ISFPRMS. That is, the resource GROUP.xxxx in the SDSF class equates to the GROUP xxxx definition in ISFPARMS. READ access to the resource puts that user in that group and gives the authorities therein. Thanks all and special thanks to Bob! To all: The very best of the season to you, yours and theirs. -----Original Message----- From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf Of Robert S. Hansel (RSH) Sent: Wednesday, December 17, 2008 7:24 AM To: [email protected] Subject: Re: SDSF Security Hal, Is the problem that the users cannot get to the SR panel, or they can't act on a message once they get there? To get to the panel, they need READ access to SDSF class resource ISFCMD.ODSP.SR.system. If they have access, SR System Requests should show up on their SDSF Primary Option Menu when they enter SDSF. If not and they attempt to enter the SR command, they should get an ICH408I violation message. If it is not defined to RACF, ISFPARMS governs, and if they don't have access, they will only get "COMMAND NOT AUTHORIZED". If they can get to the SR panel, they will need READ access to either, or both, ISFSR.ACTION.system.jobname or ISFSR.REPLY.system.jobname in order to act on messages. If these resources are protected by RACF, and they don't have sufficient access, they will get an ICH408I message and "NOT AUTHORIZED FOR CMD". If they are not protected by RACF, ISFPARMS governs, and if they don't have access, they will only get "NOT AUTHORIZED FOR CMD". Based on what you've said, I'm guessing you defined and granted them access to ISFCMD.ODSP.SR.system but didn't define profiles for the ISFSR resources, and the ISFPARMS don't give them access. One final consideration which you've probably already thought of but just in case. If defined to RACF, is the SDSF class RACLISTed and did you do a REFRESH on the system where executed? If not, is the profile(s) protecting these SDSF resources generic and did you do a GENERIC REFRESH (or have the user logon/logoff)? Hope this helps. Happy Holidays. Regards, Bob --------------------------------------------------------------------- Robert S. Hansel | 2009 RACF Training (January - July) Lead RACF Specialist | > Intro & Basic Admin - Boston - APR 28-30 RSH Consulting, Inc. | > Audit for Results - Boston - MAY 19-21 www.rshconsulting.com | 617-969-8211 | Visit our website for registration & details --------------------------------------------------------------------- **** Register for a 2009 training seminar at 2008 prices! **** **** See website for details. **** --------------------------------------------------------------------- -----Original Message----- Date: Tue, 16 Dec 2008 11:27:11 -0600 From: Hal Merritt <[email protected]> Subject: SDSF Security My operations folks would like to use the SR panel to manage WTOR's. All of the applicable RACF profiles seem to be in place and they can issue the replies from the LOG screen. The diagnosis procedure in the FM for the error message wasn't productive. The error message returned is "Not authorized for cmd". Nothing else even though WTPMSG is in effect. Could someone fax me a clue? J Thanks. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html NOTICE: This electronic mail message and any files transmitted with it are intended exclusively for the individual or entity to which it is addressed. The message, together with any attachment, may contain confidential and/or privileged information. Any unauthorized review, use, printing, saving, copying, disclosure or distribution is strictly prohibited. If you have received this message in error, please immediately advise the sender by reply email and delete all copies. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
