Troubleshooting IBM Engineering Workflow Management ISPF client permissions

This section provides information to help you troubleshoot problems with the IBM® Engineering Workflow Management (EWM) ISPF client permissions.

EWM ISPF client users need specific permissions to the UNIX load directories of other users to maintain the proper repository workspace states for all users. When a z/OS UNIX location is loaded and registered as a user repository workspace location, and this location contains a directory without read-execute permissions (r-x) for other ISPF users (such as 700, 701, or 710) who might work with the components, SCM operations performed by other ISPF users might fail during the registered sandbox controls.

RACF messages are written to the system log by the ISPF daemon regarding insufficient authority:
ICH408I  USER(XHOUIS  ) GROUP(JAZUSERS)  NAME(*********************)
  /u/bldEWM/beta2/.jazz5/.flags/.loadedComponents.isComplete
  CL(DIRACC  ) FID(01E2D4E2E5D3F100110A0000041C0000)
  INSUFFICIENT AUTHORITY TO OPEN
  ACCESS INTENT(-W-)  ACCESS ALLOWED(GROUP      R-X)
  EFFECTIVE UID(0000000519)  EFFECTIVE GID(0000000006)
ICH408I  USER(STCISPF ) GROUP(STCGROUP)  NAME(EWM - ISPF DAEMON   )
  /u/bldEWM/beta2/.jazz5/.flags/.descriptors.isComplete
  CL(DIRACC  ) FID(01E2D4E2E5D3F100110A00000041C0000)
  INSUFFICIENT AUTHORITY TO OPEN
  ACCESS INTENT(-W-)  ACCESS ALLOWED(GROUP      R-X)
  EFFECTIVE UID(0000000008)  EFFECTIVE GID(0000000001)
Some SCM operations on the Jazz source code data need to maintain state data for registered workspaces of other users, and must have access to those user directories. These user workspaces need group access. Users outside of the common group need no access. To provide the required access, follow these steps:
  1. Declare the ISPF daemon user and ALL the users who will use this daemon in a UNIX group.
  2. Set up the permissions for all of the directories included in the path of EWM ISPF client users UNIX load locations to have read-execute (r-x) permission for user and group. The minimum permission for the directory of the sandbox must be 750 (rwx r-x ---). This is a requirement for all directories to be used as z/OS UNIX directory load locations by the ISPF client. Perform the following required declarations:
    1. Create an EWMGRP group.
    2. Connect other users, including USERDMN (daemon user ID), to this group.
    3. Enter a chmod command for each user in the group and all users who use the daemon:
      chmod -R 750 /u/USERx
      where x is the user ID of an ISPF client user.
    4. Enter a chown command for each user in the group and all users who use the daemon:
      chown -R USERx:EWMGRP/u/USERx.
  3. Inform the ISPF client users to use these UNIX directories for workspace UNIX load directories.