Question & Answer
Question
Various IDCAMS commands, such as DIAGNOSE, SETCACHE, DELETE NOSCRATCH, DELETE DEFINE ALIAS, as well as others, when issued from ISPF or TSO can result in MSGIDC3018I MSGIDC3009I RC56 RSN36 as well as other error symptoms indicating security authorization failure.
Answer
- Description:
Various IDCAMS commands, such as DIAGNOSE, SETCACHE, DELETE NOSCRATCH, DELETE DEFINE ALIAS, as well as others, when issued from ISPF or TSO can result in MSGIDC3018I MSGIDC3009I RC56 RSN36 as well as other error symptoms indicating security authorization failure. The same commands complete successfully in IDCAMS BATCH mode.
Resolution:
For example:
During DELETE NOSCRATCH on TSO, we receive MSGIGD3009I, RC56 RC36 User is not authorized, when no profile exists for functions that require RACF authorization, the user must be at least APF-authorized. The above occurs when processing an SMS volume. If the DELETE NOSCRATCH is issued from a batch job the delete is authorized. When executing from TSO additional steps must be taken to have programs run APF-authorized. Authorization can be established by adding the wanted commands (define, import, delete, etc) to the commands processor table APFCTABL in CSECT IKJEFTE2 or the AUTHCMD names in SYS1.PARMLIB member IKJTSO00. Also, the program must be placed in the authorized programs name table in APFPTABL csect IKJEFTE8 or in AUTHPGM NAMES in SYS1.PARMLIB member IKJTSO00. These steps will allow IDCAMS to run APF-AUTHORIZED on TSO. You can circumvent the above authorization by defining the RACF CLASS FACILITY 'STGADMIN.IGG.DELETE.NOSCRATCH'.
A search is made for this profile first, if it exists the access list is checked for authorized users. If not, then the caller must be APF-AUTHORIZED.
For DELETE ALIAS, consider the following:
Doing a DELETE ALIAS from ISMF panel receives msgIDC3018I security verification failed rc56 rsn36.
A design change APAR OW20352 has been created. This design change will be rolled into the fixing PTFs for APAR OW20033.
DELETE needs to be set to '22' in ISPTCM. This is in the ISPF Planning and Customization Manual.
Customizing the ISPF TSO Command Table (ISPTCM) has the detail on finding the table and what needs to be checked.
ADDITIONAL SYMPTOMS:
MSGIDC3351I rc205 abend047 when migrating to a new release of z/OS. Be sure to add the DELETE command to the IKJTSO00 commands table. The DELETE ALIAS was used as an example of problems and solutions.
SUPPORTING DOCUMENTATION:
For APF Authorization see:
Authorized Assembler Services Guide
Topic: Using APF to Restrict Access to System Functions
For Facility Classes see:
Managing catalogs
Topic: Controlling Catalog Functions with RACF Profiles in the FACILITY class
For General catalog Security see:
Managing catalogs
Topic: Chapter 5: Protecting catalogs
For Required Authority Levels to Perform IDCAMS commands see:
Access Method Services
Topic: Security Authorization Levels
ISPF Planning and Customization
Topic: Customizing the ISPF TSO Command Table (ISPTCM)
Related Information
[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG90","label":"z\/OS"},"Component":"5695DF103 - DFSMS ACCESS METHOD SERVICES","Platform":[{"code":"PF035","label":"z\/OS"}],"Version":"1.1;1.10;1.11;1.12;1.13;1.2;1.3;1.4;1.5;1.6;1.7;1.8;1.9;2.1;2.2;2.3;2.4","Edition":"","Line of Business":{"code":"LOB56","label":"Z HW"}}]
Historical Number
4903942
Was this topic helpful?
Document Information
Modified date:
03 September 2021
UID
isg3S1000170