Insufficient access authority from KN3.**.TAKEACTION.ADMIN messages in the system log

A security enhancement in V5.1.0 implemented direct SAF calls to verify both the user ID and command for Take Action commands.

The user views results from Take Action commands in the Command and Response Log 3270 workspace (KN3CRTS) or in the Command Log workspace in Tivoli® Enterprise Portal. A separate SAF call is performed to determine whether the user is allowed to view results from commands that are issued by any user or only by the current user ID.

When a user who is not granted READ permission to KN3.**.TAKEACTION.ADMIN views Take Action command results, two instances of the ICH408I messages (in the case of RACF®) are written to the system log.

ICH408I USER(USER2   ) GROUP(OMVS    ) NAME(####################) 548 
  KN3.V510N3:0061:KN3AGENT.TAKEACTION.ADMIN CL(TAKESAF2)              
  INSUFFICIENT ACCESS AUTHORITY                                       
  FROM KN3.**.TAKEACTION.ADMIN (G)                                    
  ACCESS INTENT(READ   )  ACCESS ALLOWED(NONE   )

This is not an error. The SAF program has correctly determined that the user does not have authority to view other users' Take Action commands and responses. If the system administrator wants a user to see commands issued by all users, then the administrator must give the user READ access to the KN3.**.TAKEACTION.ADMIN profile of your RTE's Global SAF class, or the IBM® Z OMEGAMON® AI for Networks monitoring agent's SAF Action class name override.