[prev in list] [next in list] [prev in thread] [next in thread]
List: racf-l
Subject: Re: STORCLAS profiles requires UACC of READ
From: John Hilman <john.hilman () GO2VANGUARD ! COM>
Date: 2021-10-29 18:10:40
Message-ID: 3e237c6f8fdf4a939d93db0daf8ff6f1 () go2vanguard ! com
[Download RAW message or body]
Vanguard Integrity Professionals - External - Public
Ray,
You may have hit the nail on the head. The ICH408I message does say "JOB()" instead \
of "USER()". What's interesting is the JOB(userID) is the actual userID trying to \
logon. Since this is a client system, I don't have the ability to make any changes, \
but I will pass along your suggestions.
John Hilman
VANGUARD Integrity Professionals
External - Public
Classified by john.hilman@go2vanguard.com on 10/29/2021 1:10:36 PM
-----Original Message-----
From: RACF Discussion List <RACF-L@LISTSERV.UGA.EDU> On Behalf Of Ray Overby
Sent: Friday, October 29, 2021 12:39 PM
To: RACF-L@LISTSERV.UGA.EDU
Subject: Re: STORCLAS profiles requires UACC of READ
WARNING: This email originated outside of Vanguard.
DO NOT CLICK links or attachments unless you recognize the sender and know the \
content is safe.
Just my .02 here
As I understand it something in the logon process is allocating something that is \
driving SMS code which then issues a RACROUTE REQUEST=AUTH|FASTAUTH. I assume that \
SMS STORCLAS is involved in the allocation. That AUTH call is failing. This all \
happens because someone activated STORCLAS class in RACF.
I believe the problem is caused because the code that issues the RACROUTE \
REQUEST=AUTH|FASTAUTH is executed before security is initialized in the TSO address \
space. Some items to check:
- If the ICH408I message says "JOB()" instead of "USER()" then at the time of the \
RACROUTE REQUEST=AUTH|FASTAUTH there is no security in place.
- The change from ID(*) to UACC(READ) and it starts working is an indication that the \
user requesting access was an undefined RACF user
- You could try and change the allocation from SMS to non-sms to see if problem goes \
away
In your environment not sure how you can activate STORCLAS if TSO logons fail without \
putting UACC(READ) in profile. Seems to be counter productive. You could make an \
argument that the code that issues the RACROUTE REQUEST=AUTH|FASTAUTH should be \
modified to act differently.
On 10/29/2021 9:55 AM, John Hilman wrote:
> Vanguard Integrity Professionals - External - Public
>
> I'm working with a customer who updated their STORCLAS profiles with a UACC of NONE \
> and added ID(*) to the access list with READ access. However, once the change was \
> made and RACLIST REFRESH was issued, no one was able to logon to TSO. Changing the \
> UACC back to READ resolved the issue.
> Does anyone know where I can find documentation that states STORCLAS profiles \
> require UACC of READ?
> John Hilman
> VANGUARD Integrity Professionals
>
> External - Public
> Classified byjohn.hilman@go2vanguard.com on 10/29/2021 9:55:31 AM
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic