John, I didn't have access to the command setfacl with my user then I used SU and commands were accepted
1) setfacl -m user:9999999:rwx /TEST 2) setfacl -m group:1:rwx /TEST I run the job but the same message. Angel 2011/8/25 McKown, John <john.mck...@healthmarkets.com> > IMO, you need an OMVS segment and a unique, non-zero, UID. You also need > Write (Read & eXecute would be nice too) access to the /TEST subdirectory. > From the message, your ID is running with a UID of 9999999 and a GID of 1. > How to give you access to /TEST as you are now defined? > > 1) setfacl -m user:9999999:rwx /TEST > 2) setfacl -m group:1:rwx /TEST > > http://publibz.boulder.ibm.com/cgi-bin/bookmgr_OS390/BOOKS/BPXZA590/SETFACL > This requires "root" to do the commands, but then your id can access the > subdirectory. This may or may not grant you access to other files in that > subdirectory. Access to each file in the subdirectory will depend on the ACL > for that file. > > Instead of UID==0, get CONTROL access to profile SUPERUSER.FILESYS in the > UNIXPRIV class. > > http://publibz.boulder.ibm.com/cgi-bin/bookmgr_OS390/BOOKS/bpxzb291/4.6 > > This latter is still horrible, but less so than UID==0. It will allow you > unlimited access to every UNIX file and subdirectory in your shop. I.e. you > can destroy the UNIX environment with relative ease. > > The setfacl is much nicer. Especially if your RACF admin gives you a > unique, non-zero, UID in an OMVS segment and then uses the "setfacl -m > user:<uid>:rwx /TEST" to give you access only to the /TEST subdirectory. Uh, > replacing <uid> with the UID you were given. > > Using UID==0 is an anathema to any security conscious admin. Very few > processes really need it. And, IMO, __never__ an interactive user. Have the > RACF person look at the UNIXPRIV class and the BPX.--- profiles in the > FACILITY class for ways to allow access without UID==0. > > -- > John McKown > Systems Engineer IV > IT > > Administrative Services Group > > HealthMarkets(r) > > 9151 Boulevard 26 * N. Richland Hills * TX 76010 > (817) 255-3225 phone * > john.mck...@healthmarkets.com * www.HealthMarkets.com > > Confidentiality Notice: This e-mail message may contain confidential or > proprietary information. If you are not the intended recipient, please > contact the sender by reply e-mail and destroy all copies of the original > message. HealthMarkets(r) is the brand name for products underwritten and > issued by the insurance subsidiaries of HealthMarkets, Inc. -The Chesapeake > Life Insurance Company(r), Mid-West National Life Insurance Company of > TennesseeSM and The MEGA Life and Health Insurance Company.SM > > > > > -----Original Message----- > > From: IBM Mainframe Discussion List > > [mailto:IBM-MAIN@bama.ua.edu] On Behalf Of Angel Tamayo > > Sent: Thursday, August 25, 2011 7:50 AM > > To: IBM-MAIN@bama.ua.edu > > Subject: Copying file to OMVS > > > > Hi List, > > > > Maybe someone here could have the same or similar case. > > > > I run job: > > > > //COPY1 EXEC PGM=IEBGENER,REGION=0M > > //SYSPRINT DD SYSOUT=* > > //SYSUT1 DD DISP=SHR,DSN=HLQ.COMPRESS.PAX > > //SYSUT2 DD PATH='/TEST/COMPRESS9', > > // PATHOPTS=(OWRONLY,OCREAT,OEXCL), > > // PATHDISP=(KEEP,DELETE) > > //SYSIN DD DUMMY > > > > I received message: > > > > ICH408I USER(ZOSUSER ) GROUP(OMVSGRP ) NAME(USER NAME ) 479 > > /TEST/COMPRESS9 CL(FSOBJ ) > > FID(00003813000000410000000000000000) > > INSUFFICIENT AUTHORITY TO > > OPEN > > ACCESS INTENT(RW-) ACCESS ALLOWED(OWNER > > ---) > > EFFECTIVE UID(0009999999) EFFECTIVE GID(0000000001) > > > > > > The RACF persons says that I need to have OMVS segment setup > > for my userid > > with UID(0). > > > > I suppose UID(0) will solve the problem but it is really the > > only way to > > solve it?. > > I'm looking for a solution without UID(0), any idea on this will be > > appreciated. > > > > As additional information ZOSUSER have authority to use SU > > (superuser) in > > OMVS environment, don't really know if this helps to this case. > > > > Angel > > > > ---------------------------------------------------------------------- > > For IBM-MAIN subscribe / signoff / archive access instructions, > > send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO > > Search the archives at http://bama.ua.edu/archives/ibm-main.html > > > > > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO > Search the archives at http://bama.ua.edu/archives/ibm-main.html > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
