Do you, somehow, have a STEPLIB in the RACF started task? If so, is it (they if multiple) in the PROGRAM class for the appropriate profile in the PROGRAM class? Also, are all the DSNs APF authorized?
If no STEPLIB, look in your LINKLIST. What DSN is ADDUSER being fetched from? If you use DDLIST, then LINKLIST, you can do a MEMBER ADDUSER LINKLIST command to find out. If there are multiple (shouldn't be!), then look at the first DSN . Depending of the LNKTAB parameter in IEASYSnn, the DSN may need to be specifically APF authorized. Also, make sure it is in the appropriate profile in the PROGRAM class. On Sat, 2012-07-07 at 16:49 -0400, Scott Ford wrote: > Joel, > > Hers the exact error: > > > 11.51.03 STC00472 CSV025I PROGRAM CONTROLLED MODULE ADDUSER NOT ACCESSED, > USE > 11.51.03 STC00472 IEF196I CSV025I PROGRAM CONTROLLED MODULE ADDUSER NOT ACCES > 11.51.03 STC00472 IEF196I UNAUTHORIZED > 11.51.03 STC00472 CSV028I ABEND306-30 JOBNAME=RACF STEPNAME=RACF > 11.51.03 STC00472 IEF196I CSV028I ABEND306-30 JOBNAME=RACF > STEPNAME=RACF > > > > Scott ford > www.identityforge.com > > On Jul 7, 2012, at 4:11 PM, Scott Ford <scott_j_f...@yahoo.com> wrote: > > > Joel, > > > > Thank you very much. We are working with the customer on Monday. So I have > > homework.. > > > > Scott ford > > www.identityforge.com > > > > On Jul 7, 2012, at 4:05 PM, "Joel C. Ewing" <jcew...@acm.org> wrote: > > > >> Since the error does explicitly complain about authorization for a > >> "controlled program", check for existence of PROGRAM profiles of "**" or > >> "ADDUSER" with an associated member entry with "SYS1.LINKLIB", and if they > >> exist whether the address space getting the error runs with a userid that > >> would have READ access to the controlling profile. Particularly with a > >> PROGRAM "**" profile designed to cover linklist libraries, UACC(READ) > >> would be typical. If the request is coming from a RESTRICTED userid, that > >> could mean it wouldn't see UACC permits and would require explicit access > >> either directly or via a connected group. If you end up altering any > >> program profiles, don't forget to REFRESH the in-memory PROGRAM profiles > >> before testing. > >> JC Ewing > >> > >> On 07/07/2012 02:36 PM, Scott Ford wrote: > >>> Hey Joel, > >>> > >>> We invoke via irrseq00, the permits are good for irr.radmin.adduser, etc > >>> ..so those permits are good. We run our product as a STC with Special, > >>> no issue there > >>> > >>> Scott ford > >>> www.identityforge.com > >>> > >>> On Jul 7, 2012, at 3:00 PM, "Joel C. Ewing" <jcew...@acm.org> wrote: > >>> > >>>> How is the "ADDUSER/AU" being invoked? If in batch TSO as a TSO > >>>> command it should only require RACF SPECIAL authority by the invoking > >>>> userid (and correct definition to TSO of RACF authorized commands). > >>>> Unless program access is specifically disallowed by PROGRAM profiles, I > >>>> would have thought EXECUTE dsn access would be sufficient as long as it > >>>> is loaded via LINKLST. If it is being invoked from some script as > >>>> 'SYS1.LINKLIB(ADDUSER)' that is a different issue, as that syntax says > >>>> you are potentially invoking something not in LINKLST; and since ADDUSER > >>>> is a TSO command processor, it really shouldn't be invoked that way. > >>>> JC Ewing > >>>> > >>>> On 07/07/2012 01:42 PM, Scott Ford wrote: > >>>>> Craig, > >>>>> > >>>>> Here is the problem in a nutshell. Customer has a z/os 1.11 > >>>>> environment. The term used fo the security environment was hardened. > >>>>> But the customer doesn't know their security environment, no > >>>>> documentation, etc. So, we are trying to determine what is causing the > >>>>> s306-30 abend. What RACF commands we can use to determine what is or > >>>>> isn't required for product installation. > >>>>> > >>>>> I need some suggestions...any help is appreciated. > >>>>> > >>>>> Scott ford > >>>>> www.identityforge.com > >>>>> > >>>>> On Jul 6, 2012, at 5:15 PM, craig.p...@fotlinc.com wrote: > >>>>> > >>>>>> Not always, Here is the ABEND 306-30 documentation. > >>>>>> > >>>>>> > >>>>>> The user attempted to use a controlled program but is not > >>>>>> authorized by RACF to use that program. This can occur when a > >>>>>> user has EXECUTE access to a program library's data set profile, > >>>>>> even if none of the program modules involved are RACF program > >>>>>> protected. Have the system security administrator grant you READ > >>>>>> access to the data set profile instead. > >>>>>> > >>>>>> > >>>>>> Thanks, > >>>>>> > >>>>>> Craig > >>>>>> > >>>>>> From: Scott Ford <scott_j_f...@yahoo.com> > >>>>>> To: IBM-MAIN@LISTSERV.UA.EDU > >>>>>> Date: 07/06/2012 15:34 > >>>>>> Subject: RACF question > >>>>>> Sent by: IBM Mainframe Discussion List > >>>>>> <IBM-MAIN@LISTSERV.UA.EDU> > >>>>>> > >>>>>> > >>>>>> > >>>>>> All, > >>>>>> I have a question, I have a customer receiving a csv0025i abends306-30 > >>>>>> on > >>>>>> a adduser. > >>>>>> Shouldn't we be seeing a ich408i message ? > >>>>>> > >>>>>> Scott ford > >>>>>> www.identityforge.com > >>>>>> ---------------------------------------------------------------------- > >>>> > >>>> > >>>> > >>>> -- > >>>> Joel C. Ewing, Bentonville, AR jcew...@acm.org > >> ... > >> > >> -- > >> Joel C. Ewing, Bentonville, AR jcew...@acm.org > >> > >> ---------------------------------------------------------------------- > >> For IBM-MAIN subscribe / signoff / archive access instructions, > >> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > > > ---------------------------------------------------------------------- > > For IBM-MAIN subscribe / signoff / archive access instructions, > > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- John McKown Maranatha! <>< ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
