I'm working on a first time implementation of zSecure V1.13.
ISPF Panels show OPTION RA, but tipping RA gives no result. Nothing happens. All other OPTIONS work fine.
Authorization to XFACILIT Profile CKR.** is there. Check of SMF records don't show any violations in class XFACILIT.
I'm looking for any idea, to find out what's missing.
Thank you in advance.
Pinned topic ISPF Panel Option RA not selectable
Answered question This question has been answered.
Unanswered question This question has not been answered yet.
Updated on 2013-01-02T14:48:40Z at 2013-01-02T14:48:40Z by SystemAdmin
Re: ISPF Panel Option RA not selectable2012-12-17T09:31:47ZThis is the accepted answer. This is the accepted answer.Have you got profiles for CKR.READALl and CKR.ACTION.** The manual for 1.12 states
"zSecure makes use of SAF to configure menus, and to determine what data
(profiles, rules, SMF records) users are allowed to see. Users will see only the
resources in their scope, unless they have READ access to the CKR.READALL
resource. In order to allow users access to all menu functions and options, they
need READ access to the resources CKR.ACTION.** and CKR.OPTION.**,
Implying that there may be an issue with not having these profiles. Alternatively do you have any CKR.OPTION.RA.** profiles that are denying access (although I would expect top see violations on the log and in SMF if these were in place.
Re: ISPF Panel Option RA not selectable2012-12-20T08:39:16ZThis is the accepted answer. This is the accepted answer.
- SystemAdmin 110000D4XK
After a long search we found the reason for the problem.
There was an old command table entry in the system beginning with RA for RACF. Outside of zSecure typing RA gave us a panel not found error. Inside the zSecure Dialog this message was suppressed.
We removed the command table entry and now the Option RA in zSecure works fine.
Guus.Bonnes 01000029EM197 Posts
Re: ISPF Panel Option RA not selectable2013-01-02T14:48:40ZThis is the accepted answer. This is the accepted answer.
- SystemAdmin 110000D4XK
You will never see ICH408I messages or SMF for the CKR.OPTION.** or CKR.ACTION.** profiles.
The reason you won't see them is that the RACROUTE macros for these profiles are coded with LOG=NONE and this is for good reason. We would not want to see ICH408I and collect SMF every time a zSecure user enters and exits their panels. Imagine how many times this might occur during the day; many ISPF applications work this way. The application needs to query RACF to find out what access you have so it can build your ISPF environment but such RACROUTEs are not worthy of being logged because the application is simply trying to find out what it needs to set up your ISPF enviornment.
This brings up a good point. While we can set auditing values in RACF via the profile for SETROPTS LOGOPTIONS it truly is up to the caller of RACF to decide whether or not something will be logged because it all comes down to the LOG= parameter on the RACROUTE macro.
So how do you determine which CKR resource is the culprit?
Well there is some documentation in the installation guide. Not every profile is documented there but enough to get the idea.
There is also a debug option that will trace every panel option as you launch zSecure and save it to the C2RIMENU listing but I don't want to go into that level of detail here. You should contact support before using the SE.T tracing functions.
Hope that helps,