>From a thread in RACF from 2008 This message occurs when a token from one lpar may be used on another lpar. Do these lpars SHARE the same RACF database? If so then making each one LOCAL to the other is okay.
If they DO NOT share the same DB then NODES profiles may be necessary to do userid/ group transaltion. >From the Racf Messages: Check to see if the execution node is supposed to be local. If it is, make sure that the node is defined to the &RACLNDE profile in the RACFVARS class. Otherwise, only the UACC authority for the protected resource can be obtained. Does that help? Lizette -----Original Message----- From: IBM Mainframe Discussion List <[email protected]> On Behalf Of Charles Mills Sent: Wednesday, May 20, 2020 2:21 PM To: [email protected] Subject: Why ICH0007I and how fix? I asked this question this morning on RACF-L and got not a whimper. Perhaps it is a JES2 question and not a RACF question? I am issuing a JES2 $DQ command from a Rexx EXEC running under IKJEFT01. It is all working but for every command issued I am getting ICH70007I USER AUTHORITY CANNOT BE USED FOR THIRD-PARTY AUTHORIZATION CHECK FOR USER (userid ) GROUP (SYS1 ) BECAUSE THE EXECUTION NODE (mynode) IS NOT LOCAL. UACC WILL BE USED. I have read the description of the message https://www.ibm.com/support/knowledgecenter/en/SSLTBW_2.2.0/com.ibm.zos.v2r2 .icha600/ich70007i.htm but I don't understand any more than I did before. I am *not* getting ICH408I so I guess that is why it is all working. AFAIK 'mynode' *is* the local LPAR. I am not specifying any node in my CONSOLE ACTIVATE/CART/ADDRESS CONSOLE. $HASP826 NODE(1) $HASP826 NODE(1) NAME=mynode,STATUS=(OWNNODE),TRANSMIT=BOTH, $HASP826 RECEIVE=BOTH,HOLD=NONE Can someone explain what the message means and how to make it go away? I see "make sure that the node is defined to the &RACLNDE profile in the RACFVARS class." How do I do that and what are the risks? As you can tell, I am not a RACF admin, only playing one in my spare time. Thanks, Charles ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
