Troubleshooting IBM Engineering Workflow Management ISPF client permissions
This section provides information to help you troubleshoot problems with the IBM® Engineering Workflow Management (EWM) ISPF client permissions.
EWM ISPF client users need specific permissions to the UNIX load directories of other users to maintain the proper repository workspace states for all users. When a z/OS UNIX location is loaded and registered as a user repository workspace location, and this location contains a directory without read-execute permissions (r-x) for other ISPF users (such as 700, 701, or 710) who might work with the components, SCM operations performed by other ISPF users might fail during the registered sandbox controls.
RACF messages are written to the system log by the ISPF daemon regarding insufficient
authority:
ICH408I USER(XHOUIS ) GROUP(JAZUSERS) NAME(*********************)
/u/bldEWM/beta2/.jazz5/.flags/.loadedComponents.isComplete
CL(DIRACC ) FID(01E2D4E2E5D3F100110A0000041C0000)
INSUFFICIENT AUTHORITY TO OPEN
ACCESS INTENT(-W-) ACCESS ALLOWED(GROUP R-X)
EFFECTIVE UID(0000000519) EFFECTIVE GID(0000000006)
ICH408I USER(STCISPF ) GROUP(STCGROUP) NAME(EWM - ISPF DAEMON )
/u/bldEWM/beta2/.jazz5/.flags/.descriptors.isComplete
CL(DIRACC ) FID(01E2D4E2E5D3F100110A00000041C0000)
INSUFFICIENT AUTHORITY TO OPEN
ACCESS INTENT(-W-) ACCESS ALLOWED(GROUP R-X)
EFFECTIVE UID(0000000008) EFFECTIVE GID(0000000001)
Some
SCM operations on the Jazz source code data need to maintain state
data for registered workspaces of other users, and must have access
to those user directories. These user workspaces need group access.
Users outside of the common group need no access. To provide the required
access, follow these steps:
- Declare the ISPF daemon user and ALL the users who will use this daemon in a UNIX group.
- Set up the permissions for all of the directories included in the path of EWM ISPF
client users UNIX load locations to have read-execute (r-x) permission for user and group. The
minimum permission for the directory of the sandbox must be 750 (rwx r-x ---). This is a requirement
for all directories to be used as z/OS UNIX directory load locations by the ISPF client. Perform the
following required declarations:
- Create an EWMGRP group.
- Connect other users, including USERDMN (daemon user ID), to this group.
- Enter a chmod command for each user in the group and all users who use the
daemon:
where x is the user ID of an ISPF client user.chmod -R 750 /u/USERx
- Enter a chown command for each user in the group and all users who use the
daemon:
chown -R USERx:EWMGRP/u/USERx.
- Inform the ISPF client users to use these UNIX directories for workspace UNIX load directories.