Why all this work with SAFTRACE and SDSF trace? Why not look in the log. If you are using RACF and have the proper profile then you should see:
ICH408I USER(USERA ) GROUP(HZSXXX ) NAME(TEST ID FOR G FOGG ) 987 ISFCMD.ODSP.SR.BOST CL(SDSF ) INSUFFICIENT ACCESS AUTHORITY FROM ISFCMD.ODSP.SR.** (G) ACCESS INTENT(READ ) ACCESS ALLOWED(NONE ) George Fogg -----Original Message----- From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf Of Hal Merritt Sent: Tuesday, December 16, 2008 2:01 PM To: IBM-MAIN@bama.ua.edu Subject: Re: SDSF Security Ignore my last. The trace was in the SDSF address space. -----Original Message----- From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf Of Dennis Trojak Sent: Tuesday, December 16, 2008 3:54 PM To: IBM-MAIN@bama.ua.edu Subject: Re: SDSF Security Did you enter the complete TRACE function? In SDSF, enter TRACE ON followed by TRACE 00000080. Then in SDSF select the job/command you are interested in and enter TRACE OFF. There will be an ISFTRACE dataset created under your TSU id in JES2 output. -----Original Message----- From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf Of Hal Merritt Sent: Tuesday, December 16, 2008 3:31 PM To: IBM-MAIN@bama.ua.edu Subject: Re: SDSF Security I activated the SAF trace (mask 80) and saw nothing. Nothing at all. I'm beginning to wonder if SDSF is calling RACF at all. Why wouldn't it? The FM does not mention any kind of switch to turn that on or off. -----Original Message----- From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf Of Cebell, David Sent: Tuesday, December 16, 2008 2:00 PM To: IBM-MAIN@bama.ua.edu Subject: Re: SDSF Security Good suggestions on the trace. Could one just put RACF in warn mode, try the command and determine what is causing the command to fail. -----Original Message----- From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf Of Pinnacle Sent: Tuesday, December 16, 2008 1:21 PM To: IBM-MAIN@bama.ua.edu Subject: Re: SDSF Security ----- Original Message ----- From: "Hal Merritt" <hmerr...@jackhenry.com> Newsgroups: bit.listserv.ibm-main Sent: Tuesday, December 16, 2008 12:28 PM Subject: SDSF Security > My operations folks would like to use the SR panel to manage WTOR's. All > of the applicable RACF profiles seem to be in place and they can issue > the replies from the LOG screen. > > The error message returned is "Not authorized for cmd". Nothing else > even though WTPMSG is in effect. > Hal, SDSF does so many RACROUTEs that it suppresses nearly all ICH408I messages for security failures. To fix this, you need to turn on the SDSF security trace (I forget the details, RTFM), run your command, turn off the trace, then look at the output. It will show you the RACROUTE call, the resource, and the return codes, so you can code up the proper PERMIT. Regards, Tom Conley ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html NOTICE: This electronic mail message and any files transmitted with it are intended exclusively for the individual or entity to which it is addressed. The message, together with any attachment, may contain confidential and/or privileged information. Any unauthorized review, use, printing, saving, copying, disclosure or distribution is strictly prohibited. If you have received this message in error, please immediately advise the sender by reply email and delete all copies. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html NOTICE: This electronic mail message and any files transmitted with it are intended exclusively for the individual or entity to which it is addressed. The message, together with any attachment, may contain confidential and/or privileged information. Any unauthorized review, use, printing, saving, copying, disclosure or distribution is strictly prohibited. If you have received this message in error, please immediately advise the sender by reply email and delete all copies. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html