Topic
  • 4 replies
  • Latest Post - ‏2013-01-02T14:48:40Z by SystemAdmin
SystemAdmin
SystemAdmin
310 Posts

Pinned topic ISPF Panel Option RA not selectable

‏2012-11-22T13:16:24Z |
Hi,

I'm working on a first time implementation of zSecure V1.13.
ISPF Panels show OPTION RA, but tipping RA gives no result. Nothing happens. All other OPTIONS work fine.

Authorization to XFACILIT Profile CKR.** is there. Check of SMF records don't show any violations in class XFACILIT.

I'm looking for any idea, to find out what's missing.

Thank you in advance.
Regards
R. Seegers
Updated on 2013-01-02T14:48:40Z at 2013-01-02T14:48:40Z by SystemAdmin
  • SystemAdmin
    SystemAdmin
    310 Posts

    Re: ISPF Panel Option RA not selectable

    ‏2012-12-17T09:31:47Z  
    Have you got profiles for CKR.READALl and CKR.ACTION.** The manual for 1.12 states

    "zSecure makes use of SAF to configure menus, and to determine what data
    (profiles, rules, SMF records) users are allowed to see. Users will see only the
    resources in their scope, unless they have READ access to the CKR.READALL
    resource. In order to allow users access to all menu functions and options, they
    need READ access to the resources CKR.ACTION.** and CKR.OPTION.**,
    respectively."

    Implying that there may be an issue with not having these profiles. Alternatively do you have any CKR.OPTION.RA.** profiles that are denying access (although I would expect top see violations on the log and in SMF if these were in place.

    Eamonn
  • SystemAdmin
    SystemAdmin
    310 Posts

    Re: ISPF Panel Option RA not selectable

    ‏2012-12-20T08:39:16Z  
    Have you got profiles for CKR.READALl and CKR.ACTION.** The manual for 1.12 states

    "zSecure makes use of SAF to configure menus, and to determine what data
    (profiles, rules, SMF records) users are allowed to see. Users will see only the
    resources in their scope, unless they have READ access to the CKR.READALL
    resource. In order to allow users access to all menu functions and options, they
    need READ access to the resources CKR.ACTION.** and CKR.OPTION.**,
    respectively."

    Implying that there may be an issue with not having these profiles. Alternatively do you have any CKR.OPTION.RA.** profiles that are denying access (although I would expect top see violations on the log and in SMF if these were in place.

    Eamonn
    Thank you for the answer.
    After a long search we found the reason for the problem.
    There was an old command table entry in the system beginning with RA for RACF. Outside of zSecure typing RA gave us a panel not found error. Inside the zSecure Dialog this message was suppressed.
    We removed the command table entry and now the Option RA in zSecure works fine.
  • Guus.Bonnes
    Guus.Bonnes
    171 Posts

    Re: ISPF Panel Option RA not selectable

    ‏2012-12-20T15:54:13Z  
    Thank you for the answer.
    After a long search we found the reason for the problem.
    There was an old command table entry in the system beginning with RA for RACF. Outside of zSecure typing RA gave us a panel not found error. Inside the zSecure Dialog this message was suppressed.
    We removed the command table entry and now the Option RA in zSecure works fine.
    Thanks for letting us know what caused it, and that you solved it.
    Now I can forget about it...
  • SystemAdmin
    SystemAdmin
    310 Posts

    Re: ISPF Panel Option RA not selectable

    ‏2013-01-02T14:48:40Z  
    Have you got profiles for CKR.READALl and CKR.ACTION.** The manual for 1.12 states

    "zSecure makes use of SAF to configure menus, and to determine what data
    (profiles, rules, SMF records) users are allowed to see. Users will see only the
    resources in their scope, unless they have READ access to the CKR.READALL
    resource. In order to allow users access to all menu functions and options, they
    need READ access to the resources CKR.ACTION.** and CKR.OPTION.**,
    respectively."

    Implying that there may be an issue with not having these profiles. Alternatively do you have any CKR.OPTION.RA.** profiles that are denying access (although I would expect top see violations on the log and in SMF if these were in place.

    Eamonn
    Eamonn,
    You will never see ICH408I messages or SMF for the CKR.OPTION.** or CKR.ACTION.** profiles.

    The reason you won't see them is that the RACROUTE macros for these profiles are coded with LOG=NONE and this is for good reason. We would not want to see ICH408I and collect SMF every time a zSecure user enters and exits their panels. Imagine how many times this might occur during the day; many ISPF applications work this way. The application needs to query RACF to find out what access you have so it can build your ISPF environment but such RACROUTEs are not worthy of being logged because the application is simply trying to find out what it needs to set up your ISPF enviornment.

    This brings up a good point. While we can set auditing values in RACF via the profile for SETROPTS LOGOPTIONS it truly is up to the caller of RACF to decide whether or not something will be logged because it all comes down to the LOG= parameter on the RACROUTE macro.

    So how do you determine which CKR resource is the culprit?
    Well there is some documentation in the installation guide. Not every profile is documented there but enough to get the idea.

    There is also a debug option that will trace every panel option as you launch zSecure and save it to the C2RIMENU listing but I don't want to go into that level of detail here. You should contact support before using the SE.T tracing functions.

    Hope that helps,
    Joel