When you execute the macro, space for the RACF® return code and reason code is reserved
in the first two words of the RACROUTE parameter list. You can access
them using the ICHSAFP mapping macro by loading the ICHSAFP pointer
with the label that you specified on the list form of the macro. When
control is returned, register 15 contains the SAF return code.
Note: All return and reason codes are shown in hexadecimal. Also,
note that SAF return code is presented as SAF RC and RACF return code is presented as RACF RC in the following topic.
- SAF RC
- Meaning
- 00
- RACROUTE REQUEST=AUTH completed successfully.
- RACF RC
- Meaning
- 00
- The user is authorized by RACF to
obtain use of a RACF-protected resource.
- Reason code
- Meaning
- 00
- Indicates a normal completion.
- 04
- Indicates one of the following:
- STATUS=ERASE was specified and the data set is to be erased when
scratched, or
- The warning status of the resource was requested by the RACROUTE REQUEST=AUTH issuer's setting bit X'10' at
offset 12 decimal in the request-specific portion of the RACROUTE
REQUEST=AUTH parameter list, and authorization was granted because
WARNING was specified in the profile protecting the resource. The X'10' at
offset 12 bit is not a programming interface. The request-specific
portion of the RACROUTE REQUEST=AUTH parameter list follows the RACROUTE
parameter list (ICHSAFP) and is mapped by the mapping macro, ICHACHKL.
- 10
- When CLASS=TAPEVOL, indicates the TAPEVOL profile contains a TVTOC.
- 20
- When CLASS=TAPEVOL, indicates that the TAPEVOL profile can contain
a TVTOC, but currently does not (for a scratch pool volume).
- 24
- When CLASS=TAPEVOL, indicates that the TAPEVOL profile does not
contain a TVTOC.
- XX
- If the reason code is greater than or equal to hexadecimal 200
(decimal 512), see Class descriptor table (CDT) default return codes and reason codes.
- 14
- Requested function with STATUS=ACCESS specified has completed
successfully. The user's highest access to the specified resource
is indicated by one of the following reason codes:
- Reason Code
- Meaning
- 00
- The user has no access.
- 04
- The user has READ authority.
- 08
- The user has UPDATE authority.
- 0C
- The user has CONTROL authority.
- 10
- The user has ALTER authority.
- 04
- Requested function could not be completed. No RACF decision.
- RACF RC
- Meaning
- 00
- No security decision could be made.
- Reason code
- Meaning
- 00
- RACF was not called to
process the request because one of the following occurred:
- RACF is not installed.
- The combination of class, REQSTOR, and SUBSYS was found in the RACF router table, and ACTION=NONE
was specified.
- The RACROUTE issuer specified DECOUPL=YES and a RELEASE= keyword
with a higher release than is supported by this level of z/OS®.
- The specified class is DSNR and the DSNR class is inactive.
- 04
- The specified resource is not protected by RACF.
If PROTECTALL is active, no profile
is found, and the user ID whose authority was checked does not have
the SPECIAL attribute, RACF returns
a return code X'08' instead of a return code X'04' and
denies access.
- Reason code
- Meaning
- 00
- One of the following has occurred:
- There is no RACF profile
protecting the resource.
- RACF is not active.
- Specified class is not in the RACF class
descriptor table.
- Specified class (other than DSNR) is not active.
- Specified class requires SETROPTS RACLIST option to be active
and it is not.
- CLASS TEMPDSN was active and the data set is a temporary data
set.
- A userid of *BYPASS* has been passed on the authorization
check. No profile checking will occur.
- 04
- Indicates STATUS=ERASE was specified and the data set is to be
erased when scratched.
- 582
- Reserved.
- 08
- Requested function has failed.
- RACF RC
- Meaning
- 08
- The user is not authorized by RACF to obtain use of the specified RACF-protected
resource.
- Reason code
- Meaning
- 00
- Indicates a normal completion. A possible cause would be PROTECTALL
is active, no profile is found, and the user ID whose authority was
checked does not have the SPECIAL attribute.
- 04
- Indicates STATUS=ERASE was specified and the data set is to be
erased when scratched.
- 08
- Indicates DSTYPE=T or CLASS=TAPEVOL was specified and the user
is not authorized to use the specified volume.
- 0C
- For tape data set processing, the user is not authorized to use
the data set.
- 10
- Indicates DSTYPE=T or CLASS=TAPEVOL was specified and the user
is not authorized to specify TAPELBL=(,BLP).
- 14
- Indicates the user is not authorized to open a non-cataloged data
set.
- 18
- Indicates the user is not authorized to issue RACROUTE REQUEST=AUTH
when system is in tranquil state (MLQUIET).
- 1C
- A user with EXECUTE authority to the data set profile specified
ATTR=READ, and RACF failed
the access attempt.
- 20
- The user's security label does not dominate that of the resource;
it fails security label authorization checking.
- 24
- The user's security label can never dominate that of the resource.
- 28
- The resource must have a security label, but does not have one.
- 2C
- Conditional access could not be granted because the environment
is not controlled.
- XX
- If the reason code is greater than or equal to hexadecimal 200
(decimal 512), see Class descriptor table (CDT) default return codes and reason codes.
- 0C
- The OLDVOL specified was not part of the multivolume data set
defined by VOLSER, or it was not part of the same tape volume defined
by ENTITY.
- 10
- RACROUTE REQUEST=VERIFY was issued by a third party, and RACROUTE
REQUEST=AUTH failed.
- Reason code
- Meaning
- XX
- This value is the RACF return
code from the RACROUTE REQUEST=VERIFY. Refer to Return codes and reason codes for
an explanation of these reason codes. Under SAF return code X'08',
see RACF return code XX.
- 64
- Indicates that the CHECK subparameter of the RELEASE keyword was
specified on the execute form of the RACROUTE REQUEST=AUTH macro;
however, the list form of the macro does not have the same RELEASE
parameter. Macro processing terminates.