RACF message ICH408I

For a complete description of RACF® message ICH408I, see z/OS Security Server RACF Messages and Codes.

The first line of message ICH408I identifies a user who had an authorization problem. The other lines of the message describe the request the user was issuing and the reason for the failure.

Consider the following example:

ICH408I USER(JONES   ) GROUP(DEPT60  ) NAME(M.M.JONES           )
ICH408I   FLA32 CL(FCICSFCT)
ICH408I   INSUFFICIENT ACCESS AUTHORITY
ICH408I   FROM F%A* (G)
ICH408I   ACCESS INTENT(UPDATE )  ACCESS ALLOWED(READ   )

This message can be interpreted as follows:

User JONES, a member of group DEPT60, whose name is M.M.JONES, had INSUFFICIENT ACCESS AUTHORITY to resource FLA32, which is in class FCICSFCT.

Note: If the class shown is a resource group class, the profile might be in the class shown or in the related member class. For example, if GCICSTRN appears, check TCICSTRN also. If HCICSFCT appears, check FCICSFCT also. For a list of all the IBM®-supplied class names, see Summary of RACF classes for CICS resources. For a list of the installation-defined class names that are in use on your installation, see your RACF system programmer, or issue the SETROPTS LIST command.

The RACF profile protecting the resource is F%A*. (G) indicates that F%A* is a generic profile.

The access attempted by user JONES was UPDATE, but the access allowed by RACF was READ. Therefore, user JONES was denied access.

A DFHXS1111 message would also be issued for this access attempt:

DFHXS1111 26/09/95 15:34:01 CICSSYS1 Security violation by user JONES
          at netname D2D1 for resource FLA32 in class
          TCICSTRN. SAF codes are (X'00000008',X'00000000'). ESM codes
          are (X'00000008',X'00000000').

The SAF and ESM codes come from RACROUTE REQUEST=AUTH.

To find the cause of the violation, issue the RLIST command with AUTHUSER specified to list the profile indicated in the ICH408I message. The AUTHUSER operand displays the access list, as shown in Figure 1.

Figure 1. Requesting a display of the access list

rlist fcicsfct f%a* authuser
CLASS      NAME
-----      ----
FCICSFCT   F%A* (G)
GROUP CLASS NAME
----- ----- ----
HCICSFCT
LEVEL  OWNER      UNIVERSAL ACCESS  YOUR ACCESS  WARNING
-----  --------   ----------------  -----------  -------
 00    CICSADM         NONE              ALTER    NO
                            .
                            .
                            .
                            .
USER      ACCESS
----      ------
DEPTA     UPDATE
JONES     READ
GROUPX    NONE
SYSPROG   ALTER

In this profile, user JONES has an explicit entry in the access list. If the userid itself does not appear in the access list, check for one of JONES's connect groups. To list the groups to which JONES is connected, issue LISTUSER JONES Other specifications in the profile (such as security level or security category) might cause access to be denied. For a complete description, see the z/OS Security Server RACF Security Administrator's Guide.

Note: If NOTIFY(CICSADM) were specified in this profile, TSO userid CICSADM would receive immediate notification of failed attempts to access resources protected by the profile.