z/OS Security Server RACF Security Administrator's Guide
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Logon/job initialization processing

z/OS Security Server RACF Security Administrator's Guide
SA23-2289-00

When users cannot log on (or jobs cannot be initiated) or started procedures fail, check the following:
  • For all types of users and jobs, check for an authorization message that indicates the cause of the failure, such as:
    • User profile not defined
    • User ID revoked
    • Incorrect or no password
    • Incorrect group name
    • Incorrect or no security label (depending on RACF® options)
    • Attempt to change password or password phrase when RACF is in read-only mode or when the RACF database is locked.

    If the application's message does not clearly indicate the source of the problem, check the RACF message. This message (ICH408I or ICH409I) might provide more information.

    Note:
    1. You can find the message in one of the following places:
      • The user's terminal
      • The job log
      • The security console
      • The system log.

      Also, equivalent information is in audit records generated by RACF. Some information might be in audit records generated by the caller of RACF.

    2. For NJE jobs and SYSOUT, be aware that NODES profiles can cause the user ID, connect group, and security label to be translated to local values.
    3. For NJE jobs, if password verification is required by the NODES profile used to verify the user ID, any password sent with the job must be the password associated with the user ID on the execution node.
    4. If the ICH408I message indicates that access was denied because of a revoked user ID, you might want to resume that user ID. Check if the user ID is associated with the started procedure. If there was a user ID associated with the started procedure, this started procedure could not have begun successfully. After you resume the user ID, you must restart the started procedure or re-IPL.
  • REQUEST=VERIFY processing might do some RACF authorization checks for the user. Also, the caller of RACF, or initial EXECs or procedures that are invoked automatically might require RACF authorization checking.

    See Table 1 to see which resource classes could be checked from various types of sessions.

  • Check whether an installation exit is causing the problem. Candidates include:
    • The SAF exits
    • Exits in the caller of RACF, such as JES or TSO
    • The REQUEST=VERIFY exits.
Table 1. Resource classes checked for logon and job initialization requests
Type of session Classes that might be checked
TSO logons TERMINAL, SECLABEL, TSOPROC, ACCTNUM, PERFGRP, TSOAUTH, and (depending on the user's TSO logon procedure) DATASET or others
CICS® signons TERMINAL, SECLABEL, and APPL
IMS™ signons TERMINAL, SECLABEL, and APPL
Operators logging on to MCS consoles CONSOLE and SECLABEL
Batch jobs JESINPUT, SECLABEL, JESJOBS, SURROGAT
Inbound NJE jobs NODES, JESINPUT, SECLABEL, JESJOBS, SURROGAT
Inbound SYSOUT NODES, JESINPUT, SECLABEL
RJE remote signons or logons JESINPUT, SECLABEL, FACILITY (checks for existence of RJE.userid profile)
For NJE and RJE remote (commands) CONSOLE, NODES, SECLABEL, OPERCMDS, FACILITY (for each command, a check is made against the NJE.userid or RJE.userid profile in the FACILITY class)
MOUNT (MVS™ operator requests that a DASD device be made active), system address space, and started procedures Check the STARTED class or started procedures table (ICHRIN03) entry
APPC/MVS allocation requests APPCPORT, APPCLU, APPCTP, APPCSERV, APPCSI, SECLABEL, APPL, DATASET
Parent topic: Problems with user ID authentication

Go to the previous page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014