If you are using security labels on your system, and you observe security label failures for some calls at the designated security console or in audit records, the reason might be that the caller used a pre-RACF 1.9 protocol that did not, or was unable to, specify a security label.

If this was the case, and you want to have security label authorization checks succeed for those callers who are not using current protocols, you might be able to use the COMPATMODE option on the SETROPTS command to do so. Specifying COMPATMODE allows the caller to access the resources it needs, providing the user has access to a security label that could allow the requested access to the resource.

SETROPTS COMPATMODE

To investigate the source of a security label failure, obtain a copy of the RACF® audit records using output from the SMF data unload utility (IRRADU00). (See z/OS Security Server RACF Auditor's Guide.) Examine the records for the call to see if the failure occurred because of insufficient security label authority. Next, examine the token information for the caller. If the caller's token is identified as being created by a pre-RACF 1.9 protocol that either did not, or was unable to, specify a security label, RACF failed the security label authorization check.

NOCOMPATMODE is in effect when a RACF database is first initialized using IRRMIN00.