John, Are they defining generic profiles to protect resources in this class? If yes, did they remember to activate SETROPTS GENCMD and GENERIC for the class, especially _before_ creating such profiles. Have them execute SEARCH CLASS(class) and examine the resulting profile list to verify all profiles containing generic characters show a '(G)' to the right of the profile. Also look at SETROPTS LIST to confirm the class is listed under both GENERIC PROFILE CLASSES and GENERIC COMMAND CLASSES.
Assuming GENERIC is active, have them create a ** catch-all profile in the class to see if this results in a profile being found. Have they RACLISTed the class? If yes, are they remembering to RACLIST REFRESH the class every time they make a profile change? The REFRESH needs to be performed on each system sharing the RACF database, especially on the system where this CICS environment is running. Regards, Bob Robert S. Hansel Lead RACF Specialist RSH Consulting, Inc. 617-969-8211 www.linkedin.com/in/roberthansel www.rshconsulting.com -----Original Message----- Date: Wed, 29 Nov 2023 16:18:49 +0000 From: Rob Scott <[email protected]> Subject: Re: RACROUTE REQUEST=AUTH problem Yes - so you have a "4,4,0" set of SAF_RC,RACF_RC and RACF_RSN >From the RACROUTE macro docs , the RACF-RC/RSN means : 04 The specified resource is not protected by RACF. If PROTECTALL is active, no profile is found, and the user ID whose authority was checked does not have the SPECIAL attribute, RACF returns a return code X'08' instead of a return code X'04' and denies access. Reason code Meaning 00 One of the following has occurred: • There is no RACF profile protecting the resource. • RACF is not active. • Specified class is not in the RACF class descriptor table. • Specified class (other than DSNR) is not active. • Specified class requires SETROPTS RACLIST option to be active and it is not. • CLASS TEMPDSN was active and the data set is a temporary data set. • A userid of *BYPASS* has been passed on the authorization check. No profile checking will occur. You have at least one of the above conditions Rob -----Original Message----- From: IBM Mainframe Discussion List <[email protected]> On Behalf Of John Blythe Reid Sent: Wednesday, November 29, 2023 4:14 PM To: [email protected] Subject: Re: RACROUTE REQUEST=AUTH problem EXTERNAL EMAIL Rob, I'm looking at SAFPRRET and SAFPRREA in a test on our LPAR. After checking a non-existent resource SAFPRRET contains X'00000004' and SAFPRREA contains binary zeros. Is the value in SAFPRRET the RACF RC ? The RACROUTE macro return code in R15 is also X'04'. Regards, John. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
