Ken, Because the IDFIND routine is invoked via a CALL macro which generates a V(CON) for IDFIND, that routine must be linkedited into the load module. If the module source isn't in the same program, I would look in the LKED JCL for the list of objects pulled in, and find the source. My guess is that rather than going through the "trouble" of having additional ID's allowed to access the RACF profile, a second check, probably of a table of USERID's was added. This is a dangerous and risky practice, because security rightly belongs in the security group, having application defined security is a way to find you have little to no security.
=============================================== Wayne Driscoll OMEGAMON DB2 L3 Support/Development wdrisco(AT)us.ibm.com =============================================== "Klein, Kenneth" <[email protected]> Sent by: IBM Mainframe Discussion List <[email protected]> 07/02/2009 09:36 AM Please respond to IBM Mainframe Discussion List <[email protected]> To [email protected] cc Subject Re: Command program from the cbt thanks to all who are offering up the good clues!! The source here may have been modified by a previous systems guy. This part of the code is where I'm getting booted I think. I know I'm getting the cmd107i message and then the message from the NOTAUTH routine. What is this IDFIND routine?? FINDUSER DS 0H -RPMAC WTO 'CMD107I SAFRC04: USING SECONDARY CHECK',ROUTCDE=(2,11) CALL IDFIND SEE IF THE CURRENT USER IS -RPMAC LTR R15,R15 ALTERNATIVELY AUTHORIZED. -RPMAC BZ EXTRACT ZERO RETURN IS A-OK -RPMAC B NOTAUTH 913 AND OUT -RPMAC * Ken Klein Sr. Systems Programmer Kentucky Farm Bureau Insurance - Louisville [email protected] 502-495-5000 x7011 -----Original Message----- From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf Of Mark Zelden Sent: Thursday, July 02, 2009 10:30 AM To: [email protected] Subject: Re: Command program from the cbt On Thu, 2 Jul 2009 10:15:28 -0400, Klein, Kenneth <[email protected]> wrote: > No, that's why the RACF guy tells me it's not his problem. No RACF >messages. Just the cmd913e error message from the command program. I >can see in the code that he does a rackroute and the BH command sends >control straight to the error message and abends. > Your RACF guy is wrong, it's a RACF issue. I use COMMAND in my sandbox LPARs for startup and shutdown and have the source. It checks the RACF FACILITY class for a profile called COMMAND to see if you have access. I don't have anything defined, so it works without it. But your system must have a COMMAND profile defined in the FACILITY class and you are not authorized. Here is a snippet of source: *********************************************************************** * * * CHECK THE AUTHORITY OF THE USER TO SAF CLASS "FACILITY' FOR * * ENTITY "COMMAND". NOTE THAT FASTAUTH IS USED. TO AVOID THE * * SITUATION WHERE SPECIAL ATTRIBUTES OF THE USER MAY ALLOW THE * * ACCESS WITH LOGGING, A CHECK IS MADE FOR A NON-ZERO REASON * * CODE. THIS CONDITION WILL BE CONSIDERED A FAILURE. * * * *********************************************************************** AUTHTST RACROUTE REQUEST=FASTAUTH,WORKA=RACWORK,WKAREA=FRACWORK, X ENTITY=RESOURCE,CLASS=FACILITY,ATTR=READ, X MF=(E,RACROUTE) CH R15,=H'4' TEST THE RETURN CODE BE EXTRACT NO DECISION POSSIBLE, OK BH NOTAUTH GREATER THAN 4, NOT AUTHORIZED CLC RACROUTE+4(4),=F'0' TEST THE REASON CODE BE EXTRACT ZERO, AUTHORIZED NOTAUTH WTO 'CMD913E UNAUTHORIZED USE OF THE COMMAND PROGRAM - JOB AX BORTED',ROUTCDE=(2,11) ABEND X'913',,,SYSTEM,REASON=0 ABEND THE JOB -- Mark Zelden Sr. Software and Systems Architect - z/OS Team Lead Zurich North America / Farmers Insurance Group - ZFUS G-ITO mailto:[email protected] z/OS Systems Programming expert at http://expertanswercenter.techtarget.com/ Mark's MVS Utilities: http://home.flash.net/~mzelden/mvsutil.html ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
