I stumbled on this problem early in our CMOS adventure. You have to be very careful about granting 'more authority' than a user needs. It's not an integrity problem; it's functional. I've not see this problem documented, but it seems to work like this.
If you grant a 'regular sysprog' ACSADMIN or SERVICE authority, that user will not be able to perform all necessary sysprog activities. Rather than layering additional privileges on top of others, user functions get redefined. It sounds like you added SERVICE to the userids, which takes precedence when selecting an object. You need to remove that authority. The only solution I've found, PITA that it is, is to create multiple userids for each individual, one for SYSPROG, and one (only if needed) for ACSADMIN. I would not add SERVICE to any userid unless your staff has to perform your own maintenance activities. If so, god help you. . . J.O.Skip Robinson Southern California Edison Company Electric Dragon Team Paddler SHARE MVS Program Co-Manager 323-715-0595 Mobile 626-543-6132 Office ⇐=== NEW [email protected] -----Original Message----- From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf Of Vince Getgood Sent: Tuesday, February 14, 2017 8:03 AM To: [email protected] Subject: (External):New HMC user issue (z12BC) Hi, Due to budget constraints, my contract is being cut short (but that's another story). I've been asked to allow others access to the HMC, so that they can IPL systems, and have set up a bunch of new userids on the HMC. As far as I can tell they have all the authority that my HMC userid has (in fact, I've given them more authority). One of the new users has logged on, and was going through the motions to IPL an LPAR (without actually IPL'ing it!). They are using the "tree" interface. They navigate to Systems, and select the (single) CEC. They get all the defined LPARS displayed, all good so far. If they select an LPAR by clicking on the radio button, expand Recovery, and click on Load, they get a "Invalid Target Object List" box pop up, which says: - "One or more of the objects to be targeted for the selected task are currently not valid for the task. Review the object list to determine which objects are not valid for the task at this time. Click "Yes" to continue the task with only the valid objects as targets. Click "No" to end the task" The Reason shown is "Service status must be enabled to perform a disruptive task." I've checked the new users, and they all have "Require password for disruptive actions" checked. There is no disruptive task lock on the system anywhere. I'm at a loss. Can anyone shed any light on what's happening here please? ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
