On Sat, 28 Feb 2009 15:55:01 -0600, George Dranes <[email protected]> wrote:
>I think I've finally gotten my MPFLST exit working. I'm using RACROUTE >REQUEST=TOKENBLD to first acquire a token and then use this token in the >MGCRE macro. I did notice that when I don't specify the GROUP in the >RACROUTE call that it appears to pass garbage rather than use the default >group of the user. I receive the following: > >IEE345I DISPLAY AUTHORITY INVALID, FAILED BY SECURITY PRODUCT >ICH408I USER(L#TSCONS) GROUP(R CG) NAME(GENERIC CONSOLE UID ) > LOGON/JOB INITIATION - INVALID GROUP > >It does consistently put (R CG) as the group. What is crazy is this same >exit works fine without specifying the group on another lpar?? The only >difference between the two is the userid. I have no experience with the >RACROUTE macro, is GROUP required on a REQUEST=TOKENBLD or is there >something screwy happening in my code? Thanks for any help. A UTOKEN built by RACF would always have a group, but I'm not aware of any requirement to provide one on a TOKENBLD request. I suspect an error in your code (perhaps, failure to properly initialize the L-form of the macro), but can only suggest that you show us your code and that you examine the UTOKEN you build before you pass it in on the MGCRE. -- Walt Farrell, CISSP IBM STSM, z/OS Security Design ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
