In OPS/MVS, as part of an automation process or a rule, it is possible to issue commands using OPSOSF address spaces as servers that handle asynchronous action requests. It could be something looking like the following:
ADDRESS OPER
"-STOP DDF MODE(FORCE)"
"-STOP DB2"
"P OAM"
It can happen that the above STOP command related to DB2 task gets the following error:
DSN9016I COMMAND REJECTED, UNAUTHORIZED REQUEST
OPS1181H OPSOSF OPSS (*Local*) MVS N/A DB2STOP -STOP DB2
How to determine what OPSMVS ACID or userid should be defined and authorized in DB2 for these command?
In order to correctly execute DB2 oper commands from within an automation process, executed via OPSOSF Service tasks, it is necessary that the userid of the OPSOSF Server be authorized in DB2 in order to issue these oper commands (in this case the STOP command).
The userid can be determined by browsing the OPSLOG and checking the value of the column "User ID" of the CMD event.
One way to show these fields in OPSLOG is by issuing the command D EVN USERID. Sample output:
OPSLOG Browse XEXX XEXX OPSLOG
Command ===> D EVN USERID
Evn User ID ----+----1----+----2---
CMD OPSOSF -STOP DB2
In the above example, the userid is OPSOSF.
The required RACF definitions would then be:
RDEF DSNADM DB2.SYSOPR UACC(NONE) OWNER(DB2)
RALT DSNADM DB2.SYSOPR AUDIT(FAILURES(READ))
PE DB2.SYSOPR CLASS(DSNADM) ID(OPSOSF) ACCESS(READ)
See the documents below regarding this subject for CA Top Secret and ACF2.
ACF2:
https://knowledge.broadcom.com/external/article?articleId=11486
TSS:
https://knowledge.broadcom.com/external/article?articleId=46271