« previous next »
Pages: [1]

Author Topic: User security exit, RACF and load permission  (Read 4460 times)

PasiPK

  • Guest
User security exit, RACF and load permission
« on: January 13, 2010, 07:00:31 AM »
Hello !
we are using RACF definitions via user security exit to control read access to folders and application groups. Seems to work OK, we also changed the security exit so that we can have multiple environments in one LPAR.

Now we we are trying to find out, why ARSLOAD says
"User >ODUSER1< does not have permission to perform the specified action"

User ODUSER1 has update access to class ARS1APGP profile *.

Maybe ARSLOAD is not using security exit at all?
Logged

Ed_Arnold

  • Hero Member
  • *****
  • Posts: 1200
    • View Profile
Re: User security exit, RACF and load permission
« Reply #1 on: January 14, 2010, 01:08:20 PM »
Hello Pasi - I can't look inside your exit (nor do I care to) but indeed arsload may not be using the exit.

This is off the top of my head, but I think it's something like this:

1. -u userid -p password if it's a parm on the arsload

2. arsload.cfg if no -u/-p | userid ADMIN if userid not specified in arsload.cfg

3. ARS.PTGN exit, if specified, and no arsload.cfg will try use passtickets

That may not be 100% correct, what I just said, but hopefully it'll point you in the right direction.

Does this help?

Ed
Logged
#zOS #ODF

Bill Dennis

  • Guest
Re: User security exit, RACF and load permission
« Reply #2 on: January 25, 2010, 01:05:18 PM »
Is ODUSER1 defined as an Administrator? I think this is still required for load ID's.

Logged

PasiPK

  • Guest
Re: User security exit, RACF and load permission
« Reply #3 on: January 26, 2010, 01:31:45 AM »
Hello ! First answer to Ed: your description seems to be related to logon possibilities, this area works, no problems with logging in.

Answer to Bill: ODUSER1 is not administrator. We have checked, that loading works also for a normal user. Because this is test environment, we allow loading for all programmers.

We have just done more testing, and it appears:
PUBLIC authority does not work. Not for reading documents, not for loading. Maybe with RACF this PUBLIC is not used.

So as we want to allow reading and loading, we decided to create a user group and include all users in it.
Then for this user group we give access to all folders and also allow loading.

I already thought why do we use RACF at all in test environment, as we allow so much. In production RACF is important, and we need to have a similar test environment.
Logged

geoffwilde

  • Administrator
  • Sr. Member
  • *****
  • Posts: 253
  • z/os erm icn
    • View Profile
Re: User security exit, RACF and load permission
« Reply #4 on: March 04, 2010, 06:59:38 AM »
for us, we had to add the user ids to the CMOD user table with full authority and specify that id in the load task. Public is not used.
Logged
President, OnDemand Users Group
Lead Technician for Content Manager OnDemand @
US Bank
#zSeries
Pages: [1]
« previous next »