Joel, Thank you very much. We are working with the customer on Monday. So I have homework..
Scott ford www.identityforge.com On Jul 7, 2012, at 4:05 PM, "Joel C. Ewing" <[email protected]> wrote: > Since the error does explicitly complain about authorization for a > "controlled program", check for existence of PROGRAM profiles of "**" or > "ADDUSER" with an associated member entry with "SYS1.LINKLIB", and if they > exist whether the address space getting the error runs with a userid that > would have READ access to the controlling profile. Particularly with a > PROGRAM "**" profile designed to cover linklist libraries, UACC(READ) would > be typical. If the request is coming from a RESTRICTED userid, that could > mean it wouldn't see UACC permits and would require explicit access either > directly or via a connected group. If you end up altering any program > profiles, don't forget to REFRESH the in-memory PROGRAM profiles before > testing. > JC Ewing > > On 07/07/2012 02:36 PM, Scott Ford wrote: >> Hey Joel, >> >> We invoke via irrseq00, the permits are good for irr.radmin.adduser, etc >> ..so those permits are good. We run our product as a STC with Special, no >> issue there >> >> Scott ford >> www.identityforge.com >> >> On Jul 7, 2012, at 3:00 PM, "Joel C. Ewing" <[email protected]> wrote: >> >>> How is the "ADDUSER/AU" being invoked? If in batch TSO as a TSO command >>> it should only require RACF SPECIAL authority by the invoking userid (and >>> correct definition to TSO of RACF authorized commands). Unless program >>> access is specifically disallowed by PROGRAM profiles, I would have thought >>> EXECUTE dsn access would be sufficient as long as it is loaded via LINKLST. >>> If it is being invoked from some script as 'SYS1.LINKLIB(ADDUSER)' that is >>> a different issue, as that syntax says you are potentially invoking >>> something not in LINKLST; and since ADDUSER is a TSO command processor, it >>> really shouldn't be invoked that way. >>> JC Ewing >>> >>> On 07/07/2012 01:42 PM, Scott Ford wrote: >>>> Craig, >>>> >>>> Here is the problem in a nutshell. Customer has a z/os 1.11 environment. >>>> The term used fo the security environment was hardened. But the customer >>>> doesn't know their security environment, no documentation, etc. So, we are >>>> trying to determine what is causing the s306-30 abend. What RACF commands >>>> we can use to determine what is or isn't required for product installation. >>>> >>>> I need some suggestions...any help is appreciated. >>>> >>>> Scott ford >>>> www.identityforge.com >>>> >>>> On Jul 6, 2012, at 5:15 PM, [email protected] wrote: >>>> >>>>> Not always, Here is the ABEND 306-30 documentation. >>>>> >>>>> >>>>> The user attempted to use a controlled program but is not >>>>> authorized by RACF to use that program. This can occur when a >>>>> user has EXECUTE access to a program library's data set profile, >>>>> even if none of the program modules involved are RACF program >>>>> protected. Have the system security administrator grant you READ >>>>> access to the data set profile instead. >>>>> >>>>> >>>>> Thanks, >>>>> >>>>> Craig >>>>> >>>>> From: Scott Ford <[email protected]> >>>>> To: [email protected] >>>>> Date: 07/06/2012 15:34 >>>>> Subject: RACF question >>>>> Sent by: IBM Mainframe Discussion List <[email protected]> >>>>> >>>>> >>>>> >>>>> All, >>>>> I have a question, I have a customer receiving a csv0025i abends306-30 on >>>>> a adduser. >>>>> Shouldn't we be seeing a ich408i message ? >>>>> >>>>> Scott ford >>>>> www.identityforge.com >>>>> ---------------------------------------------------------------------- >>> >>> >>> >>> -- >>> Joel C. Ewing, Bentonville, AR [email protected] > ... > > -- > Joel C. Ewing, Bentonville, AR [email protected] > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
