[prev in list] [next in list] [prev in thread] [next in thread] 

List:       racf-l
Subject:    Re: STORCLAS profiles requires UACC of READ
From:       John Hilman <john.hilman () GO2VANGUARD ! COM>
Date:       2021-10-29 18:10:40
Message-ID: 3e237c6f8fdf4a939d93db0daf8ff6f1 () go2vanguard ! com
[Download RAW message or body]

Vanguard Integrity Professionals - External - Public
Ray,

You may have hit the nail on the head.  The ICH408I message does say "JOB()" instead \
of "USER()".  What's interesting is the JOB(userID) is the actual userID trying to \
logon.  Since this is a client system, I don't have the ability to make any changes, \
but I will pass along your suggestions.

John Hilman
VANGUARD Integrity Professionals
External - Public
Classified by john.hilman@go2vanguard.com on 10/29/2021 1:10:36 PM

-----Original Message-----
From: RACF Discussion List <RACF-L@LISTSERV.UGA.EDU> On Behalf Of Ray Overby
Sent: Friday, October 29, 2021 12:39 PM
To: RACF-L@LISTSERV.UGA.EDU
Subject: Re: STORCLAS profiles requires UACC of READ

WARNING: This email originated outside of Vanguard.

DO NOT CLICK links or attachments unless you recognize the sender and know the \
content is safe.

Just my .02 here

As I understand it something in the logon process is allocating something that is \
driving SMS code which then issues a RACROUTE REQUEST=AUTH|FASTAUTH. I assume that \
SMS STORCLAS is involved in the allocation. That AUTH call is failing. This all \
happens because someone activated STORCLAS class in RACF.

I believe the problem is caused because the code that issues the RACROUTE \
REQUEST=AUTH|FASTAUTH is executed before security is initialized in the TSO address \
space. Some items to check:

- If the ICH408I message says "JOB()" instead of "USER()" then at the time of the \
RACROUTE REQUEST=AUTH|FASTAUTH there is no security in place.

- The change from ID(*) to UACC(READ) and it starts working is an indication that the \
user requesting access was an undefined RACF user

- You could try and change the allocation from SMS to non-sms to see if problem goes \
away

In your environment not sure how you can activate STORCLAS if TSO logons fail without \
putting UACC(READ) in profile. Seems to be counter productive. You could make an \
argument that the code that issues the RACROUTE REQUEST=AUTH|FASTAUTH should be \
modified to act differently.


On 10/29/2021 9:55 AM, John Hilman wrote:
> Vanguard Integrity Professionals - External - Public
> 
> I'm working with a customer who updated their STORCLAS profiles with a UACC of NONE \
> and added ID(*) to the access list with READ access.  However, once the change was \
> made and RACLIST REFRESH was issued, no one was able to logon to TSO.  Changing the \
> UACC back to READ resolved the issue. 
> Does anyone know where I can find documentation that states STORCLAS profiles \
> require UACC of READ? 
> John Hilman
> VANGUARD Integrity Professionals
> 
> External - Public
> Classified byjohn.hilman@go2vanguard.com  on 10/29/2021 9:55:31 AM


[prev in list] [next in list] [prev in thread] [next in thread]