Insufficient access authority from KN3.**.TAKEACTION.ADMIN messages in the system log
A security enhancement in V5.1.0 implemented direct SAF calls to verify both the user ID and command for Take Action commands.
The user views results from Take Action commands in the Command and Response Log 3270 workspace (KN3CRTS) or in the Command Log workspace in Tivoli® Enterprise Portal. A separate SAF call is performed to determine whether the user is allowed to view results from commands that are issued by any user or only by the current user ID.
When a user who is not
granted READ permission to KN3.**.TAKEACTION.ADMIN
views
Take Action command results, two instances of the ICH408I messages
(in the case of RACF®) are written
to the system log.
ICH408I USER(USER2 ) GROUP(OMVS ) NAME(####################) 548
KN3.V510N3:0061:KN3AGENT.TAKEACTION.ADMIN CL(TAKESAF2)
INSUFFICIENT ACCESS AUTHORITY
FROM KN3.**.TAKEACTION.ADMIN (G)
ACCESS INTENT(READ ) ACCESS ALLOWED(NONE )
This
is not an error. The SAF program has correctly determined that the
user does not have authority to view other users' Take Action commands
and responses. If the system administrator wants a user to see commands
issued by all users, then the administrator must give the user READ
access to the KN3.**.TAKEACTION.ADMIN
profile of
your RTE's Global SAF class, or the IBM® Z OMEGAMON® AI for Networks monitoring agent's SAF Action class name override.