IBM Support

OA67467: AN ADDUSER COMMAND MAY ABEND0C4 PIC11

A fix is available

Obtain the fix for this APAR.

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • The RACF ADDUSER command may ABEND.
Here is a sample dump title:
Dump Title:       INIT    ,      ICHCAU00 MODULE, 0C4-011
ABEND,UNKNOWN                 CSECT,UNKNOWN  SEGMENT.

ANALYSIS:
Module ICHCAU00 tries to audit keywords specified on the ADDUSER

command in arrays represented by variables LGTYPE and LGLIST.
During the flow of interest, LGTYPE and LGLIST can be negatively

impacted. An ABEND0C4 is possible later involving audit modules
such as
ICHRAU02.

KNOWN IMPACT:
An ABEND0C4 may occur while referencing LGTYPE or LGLIST, and
the ADDUSER command could fail.

VERIFICATION STEPS:
1) Confirm if an ADDUSER command was issued before the ABEND0C4.

2) Determine if the ABEND0C4 occurred while referencing LGTYPE
or LGLIST which are input parameters to ICHRAU02.
3) Backchain to ICHCAU00 if needed to review how LGTPYE and
LGLIST were populated.

ADDITIONAL SYMPTOMS:
RACF ABEND RSN11

Local fix

  • 



Problem summary


    

  • ****************************************************************
* USERS AFFECTED: z/OS Security Server RACF users of the       *
*                 ADDUSER command in RACF versions 2.5 and     *
*                 later.                                       *
****************************************************************
* PROBLEM DESCRIPTION: The RACF ADDUSER command may ABEND when *
*                      using a large number of operands.       *
****************************************************************
The RACF ADDUSER command may ABEND when
using a large number of operands.

    



Problem conclusion


    

  • The RACF ADDUSER command is resolved.

This update modifies information provided in two manuals:

  z/OS Security Server RACF Command Language Reference
  (SA23-2292-xx)

  z/OS Security Server RACF Messages and Codes
  (SA23-2291-xx)

This update modifies parameter descriptions for the ADDUSER
command in the 'z/OS Security Server RACF Command Language
Reference' (SA23-2292-xx).  The ADDCATEGORY and CLAUTH
parameter descriptions are modified as follows (modifications
are highlighted using '>' in the descriptions below):

  ADDCATEGORY(category-name ...)

    Specifies one or more names of installation-defined security
    categories. The names you specify must be defined as members
    of the CATEGORY profile in a SECDATA class. For information
    on defining security categories, see z/OS Security Server
    RACF Security Administrator's Guide.

 >  Value limit: The ADDUSER command is limited to a total of
 >  283 values from any combination of the following parameters:
 >
 >    - Number of categories that are specified by ADDCATEGORY
 >    - Number of classes that are specified by CLAUTH
 >    - DATA, MODEL, NAME, and OWNER operands.

    When the SECDATA class is active and you specify
    ADDCATEGORY, RACF performs security category checking in
    addition to its other authorization checking. If a user
    requests access to a resource, RACF compares the list of
    security categories in the user's profile with the list of
    security categories in the resource profile. If RACF finds
    any security category in the resource profile that is not in
    the user's profile, RACF denies access to the resource. If
    the user's profile contains all the required security
    categories, RACF continues with other authorization
    checking.

    | Note: RACF does not perform security category checking for
    | a started task or user with the RACF privileged or trusted
    | attribute. The RACF privileged or trusted attribute can be
    | assigned to a started task through the RACF started
    | procedures table or STARTED class, or to other users by
    | installation-supplied RACF exits.


  CLAUTH | NOCLAUTH

    CLAUTH(class-name ...)

      Specifies the classes in which the new user is allowed to
      define profiles to RACF for protection. Classes you can
      specify are USER, and any resource classes defined in the
      class descriptor table.

 >    Value limit: The ADDUSER command is limited to a total of
 >    283 values from any combination of the following
 >    parameters:
 >
 >      - Number of classes that are specified by CLAUTH
 >      - Number of categories that are specified by ADDCATEGORY
 >      - DATA, MODEL, NAME, and OWNER operands.

      To enter the CLAUTH operand, you must have the SPECIAL
      attribute or have the CLAUTH attribute for the classes
      specified. If you do not have sufficient authority for a
      specified class, RACF ignores the CLAUTH specification for
      that class and continues processing with the next class
      name specified.

      | Note: The CLAUTH attribute has no meaning for the FILE
      | and DIRECTORY classes.

    NOCLAUTH

      Specifies that the new user is not to have the CLAUTH
      attribute. NOCLAUTH is the default if you omit both CLAUTH
      and NOCLAUTH.


A description for a new message is added to the 'z/OS Security
Server RACF Messages and Codes' document (SA23-2291-xx).  In
Chapter 2, 'ICH Messages for RACF commands', the following
message description is added to the section, 'ADDUSER command
messages':

  ICH01028I KEYWORD OPERAND LIMIT EXCEEDED, USER(S) NOT ADDED.

  Explanation

  The combined number of classes specified by the CLAUTH keyword
  and the number of categories specified by the ADDCATEGORY
  keyword exceeds the command limit.

  System Action

  Command processing stops and the requested users are not
  added.

  User Response

  Reduce the number of classes specified in the CLAUTH keyword
  and the number of categories specified in the ADDCATEGORY
  keyword and attempt the command again.  After successful
  completion of the command, issue ALTUSER commands for these
  users to specify the classes that were omitted from the CLAUTH
  keyword and the categories that were omitted from the
  ADDCATEGORY command.

    



Temporary fix


    

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    OA67467
    • 

  • Reported component name
    RACF
    • 

  • Reported component ID
    5752XXH00
    • 

  • Reported release
    7D0
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2025-01-29
    • 

  • Closed date
    2025-05-05
    • 

  • Last modified date
    2025-05-21
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    
UJ97080 UJ97081 UJ97082
    

    • 



Modules/Macros


    

  • ICHCAU00

    




Publications Referenced


SA232292xxSA232291xx   





Fix information


    

  • Fixed component name
    RACF
    • 

  • Fixed component ID
    5752XXH00
    • 



Applicable component levels


    

  • R7D0  PSY  UJ97080
       UP25/05/21  I  1000
    • 

  • R7E0  PSY  UJ97081
       UP25/05/21  I  1000
    • 

  • R7F0  PSY  UJ97082
       UP25/05/21  I  1000
    • 



Fix is available


    

  • Select the PTF appropriate for your component level.
You will be required to sign in. Distribution on physical
media is not available in all countries.
    








      
              
                            

              

              [{"Business Unit":{"code":"BU011","label":"Systems - zSystems software"},"Product":{"code":"SG19O"},"Platform":[{"code":"PF054","label":"z Systems"}],"Version":"7D0"}]
              

                                                                    

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            21 May 2025
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback