When you execute the macro, space for the RACF® return code and reason code is reserved in the first two words of the RACROUTE parameter list. You can access them using the ICHSAFP mapping macro by loading the ICHSAFP pointer with the label that you specified on the list form of the macro. When control is returned, register 15 contains the SAF return code.

SAF RC

Meaning

00

RACROUTE REQUEST=AUTH completed successfully.

RACF RC

Meaning

00

The user is authorized by RACF to obtain use of a RACF-protected resource.

Reason code

Meaning

00

Indicates a normal completion.

04

Indicates one of the following:

• STATUS=ERASE was specified and the data set is to be erased when scratched, or
• The warning status of the resource was requested by the RACROUTE REQUEST=AUTH issuer's setting bit X'10' at offset 12 decimal in the request-specific portion of the RACROUTE REQUEST=AUTH parameter list, and authorization was granted because WARNING was specified in the profile protecting the resource. The X'10' at offset 12 bit is not a programming interface. The request-specific portion of the RACROUTE REQUEST=AUTH parameter list follows the RACROUTE parameter list (ICHSAFP) and is mapped by the mapping macro, ICHACHKL.

10

When CLASS=TAPEVOL, indicates the TAPEVOL profile contains a TVTOC.

20

When CLASS=TAPEVOL, indicates that the TAPEVOL profile can contain a TVTOC, but currently does not (for a scratch pool volume).

24

When CLASS=TAPEVOL, indicates that the TAPEVOL profile does not contain a TVTOC.

XX

If the reason code is greater than or equal to hexadecimal 200 (decimal 512), see Class descriptor table (CDT) default return codes and reason codes.

14

Requested function with STATUS=ACCESS specified has completed successfully. The user's highest access to the specified resource is indicated by one of the following reason codes:

Reason Code

Meaning

00

The user has no access.

04

The user has READ authority.

08

The user has UPDATE authority.

0C

The user has CONTROL authority.

10

The user has ALTER authority.

04

Requested function could not be completed. No RACF decision.

RACF RC

Meaning

00

No security decision could be made.

Reason code

Meaning

00

RACF was not called to process the request because one of the following occurred:

• RACF is not installed.
• The combination of class, REQSTOR, and SUBSYS was found in the RACF router table, and ACTION=NONE was specified.
• The RACROUTE issuer specified DECOUPL=YES and a RELEASE= keyword with a higher release than is supported by this level of z/OS®.
• The specified class is DSNR and the DSNR class is inactive.

04

The specified resource is not protected by RACF.

If PROTECTALL is active, no profile is found, and the user ID whose authority was checked does not have the SPECIAL attribute, RACF returns a return code X'08' instead of a return code X'04' and denies access.

Reason code

Meaning

00

One of the following has occurred:

• There is no RACF profile protecting the resource.
• RACF is not active.
• Specified class is not in the RACF class descriptor table.
• Specified class (other than DSNR) is not active.
• Specified class requires SETROPTS RACLIST option to be active and it is not.
• CLASS TEMPDSN was active and the data set is a temporary data set.
• A userid of *BYPASS* has been passed on the authorization check. No profile checking will occur.

04

Indicates STATUS=ERASE was specified and the data set is to be erased when scratched.

582

Reserved.

08

Requested function has failed.

RACF RC

Meaning

08

The user is not authorized by RACF to obtain use of the specified RACF-protected resource.

Reason code

Meaning

00

Indicates a normal completion. A possible cause would be PROTECTALL is active, no profile is found, and the user ID whose authority was checked does not have the SPECIAL attribute.

04

Indicates STATUS=ERASE was specified and the data set is to be erased when scratched.

08

Indicates DSTYPE=T or CLASS=TAPEVOL was specified and the user is not authorized to use the specified volume.

0C

For tape data set processing, the user is not authorized to use the data set.

10

Indicates DSTYPE=T or CLASS=TAPEVOL was specified and the user is not authorized to specify TAPELBL=(,BLP).

14

Indicates the user is not authorized to open a non-cataloged data set.

18

Indicates the user is not authorized to issue RACROUTE REQUEST=AUTH when system is in tranquil state (MLQUIET).

1C

A user with EXECUTE authority to the data set profile specified ATTR=READ, and RACF failed the access attempt.

20

The user's security label does not dominate that of the resource; it fails security label authorization checking.

24

The user's security label can never dominate that of the resource.

28

The resource must have a security label, but does not have one.

2C

Conditional access could not be granted because the environment is not controlled.

XX

If the reason code is greater than or equal to hexadecimal 200 (decimal 512), see Class descriptor table (CDT) default return codes and reason codes.

0C

The OLDVOL specified was not part of the multivolume data set defined by VOLSER, or it was not part of the same tape volume defined by ENTITY.

10

RACROUTE REQUEST=VERIFY was issued by a third party, and RACROUTE REQUEST=AUTH failed.

Reason code

Meaning

XX

This value is the RACF return code from the RACROUTE REQUEST=VERIFY. Refer to Return codes and reason codes for an explanation of these reason codes. Under SAF return code X'08', see RACF return code XX.

64

Indicates that the CHECK subparameter of the RELEASE keyword was specified on the execute form of the RACROUTE REQUEST=AUTH macro; however, the list form of the macro does not have the same RELEASE parameter. Macro processing terminates.