z/OS Security Server RACF Messages and Codes
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


ICH14085I

z/OS Security Server RACF Messages and Codes
SA23-2291-00

ICH14085I
Warning: keyword-1 was changed to keyword-2 for class class-1 because the class shares a POSIT number with class class-2.

Explanation

During RACF® initialization or SETROPTS RACLIST processing, a mismatch was found between classes that share a POSIT number, and the class attribute was changed for class-1 to match the attribute in class-2. The named attributes, keyword-1 and keyword-2, cannot be specified in classes that share a POSIT number. For example, GENERIC(DISALLOWED) and GENERIC(ALLOWED) cannot be specified in two classes that share a POSIT number (unless the classes are a grouping and member class pair).

System action

Processing continues and one class (class-1) has an updated class attribute (keyword-2), as specified in the message. If an installation class (static or dynamic) is sharing a POSIT number with an IBM® class, the class attribute in the IBM class takes precedence. If two installation classes (static or dynamic) are sharing a POSIT number, RACF chooses the least restrictive attribute. For example, GENERIC(ALLOWED) is less restrictive than GENERIC(DISALLOWED), so RACF chooses GENERIC(ALLOWED).

User response

Change the definition of either class-1 or class-2 to have compatible attributes for classes with shared POSIT numbers. For more information about dynamic classes sharing a POSIT number, see z/OS Security Server RACF Security Administrator's Guide. For more information about static classes sharing a POSIT number, see the ICHERCDE macro description in z/OS Security Server RACF Macros and Interfaces.

To change the attribute of a class, do one of the following tasks:
  • If the class to be updated is a dynamic class, use the RALTER command to change the class attribute or POSIT number in the corresponding CDT profile. Then issue the SETROPTS RACLIST(CDT) REFRESH command to update the dynamic class descriptor table.
  • If the class to be updated is a static installation-defined class, change the ICHERCDE macro invocation in module ICHRRCDE, assemble and link edit the ICHRRCDE module, and restart your system.
Note: If class-1 is a dynamic class and no action is taken to change the attributes of class-1 or class-2, this message is issued again during each SETROPTS RACLIST(CDT) REFRESH command until the attributes are corrected.

Routing code

2 and 9

Descriptor code

4

Parent topic: SETROPTS command messages

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014