Commands That Have Recovery Routines

Failures that occur during the processing of the following commands may or may not cause a problem with the profiles on the RACF® database. These commands have recovery (backout) routines that enable the command processor to recover from some of the failures.

The commands are:
  • ADDGROUP
  • ADDUSER
  • ALTGROUP
  • CONNECT.

If the command error messages indicate that recovery (backout) was successful, perform the following steps:

  1. Examine the error messages to identify the failure.
  2. Reenter the command.
  3. If the failure occurs again, contact your programming support representative.

If the command error messages indicate that recovery (backout) was not successful, perform the following steps:

  1. Examine the error messages to identify the failure.
  2. List the contents of the affected user and group profiles to determine the status of the contents.
  3. If no profiles were modified, reenter the command.
  4. If the user or group profiles have discrepancies, enter the appropriate commands to correct the data in the profiles. See z/VM: RACF Security Server Security Administrator's Guide for more information.

    Example: A failure occurs during the processing of the ADDUSER command and the user profile is created correctly but the group profile is not updated with the new user's user ID. In this case, enter the CONNECT command with the default group name as the desired group in order to update the group profile.

  5. If the command was adding or changing a uid or gid of an OVM segment, and the user or group profile is correct, examine the appropriate VMPOSIX mapping profile to see if it matches the change made to the user or group profile. If it does not match, alter the VMPOSIX profile appropriately.
    Example: You entered: 
    ADDUSER CAMERON OVM(UID(7))
    The CAMERON user profile is correct but the U7 profile does not exist in the VMPOSIX class. Add it as follows. 
    RDEFINE VMPOSIX U7 UACC(NONE)
PERMIT U7 CLASS(VMPOSIX) ID(CAMERON) ACCESS(NONE)
PERMIT U7 CLASS(VMPOSIX) ID(your-id) DELETE

    If the NOADDCREATOR option is in effect, the PERMIT command to delete authorization for your user ID is not necessary.

    See z/VM: RACF Security Server Security Administrator's Guide for information regarding VMPOSIX mapping profiles. For information on the NOADDCREATOR option, see z/VM: RACF Security Server Security Administrator's Guide. For information on the ADDCREATOR and NOADDCREATOR keywords on the SETROPTS command, see z/VM: RACF Security Server Command Language Reference.

  6. If there are no discrepencies and the user, group, and VMPOSIX mapping profiles (if relevant) are correct, the command completed successfully.
  7. If the failure occurs again, contact your programming support representative.