ICH408I for Tape Date Sets running IDCAMS REPRO MERGECAT

Article Id: 125500

Status: Published

Updated On: 31-01-2019 05:08

Products:

CA 1 Tape Management , CA 1 Tape Management - Copycat Utility , CA 1 Tape Management - Add-On Options

Issue/Introduction:

IDCAMS REPRO MERGECAT fails with the following security violations for migrated data sets and for data sets on tape volumes:

ICH408I USER(userid ) GROUP(group ) NAME(user name )
HLQ.data.set.name CL(DATASET ) VOL(MIGRAT)
INSUFFICIENT ACCESS AUTHORITY
FROM HLQ.** (G)
ACCESS INTENT(ALTER ) ACCESS ALLOWED(READ )
ICH408I USER(userid ) GROUP(group ) NAME(user name )
HLQ.data.set.name CL(DATASET ) VOL(tape00)
INSUFFICIENT ACCESS AUTHORITY
FROM HLQ.** (G)
ACCESS INTENT(ALTER ) ACCESS ALLOWED(READ )

The Userid running MERGECAT has ALTER ACCESS to the Catalogs and READ ACCESS to the Data Sets being merged.
This works for Data Sets on DASD, but fails for Tape Data Sets or migrated Data Sets.

Environment:

Release:
Component: 1

Resolution:

This problem is caused by the CA 1 Catalog Interface. It is addressed by CA Common Tape (CM-$F) Problem 298. APAR ST07062 is available and can be requested from Support. The published PTF will be available soon. Following details for APAR ST07062:

Title: CORRECT SECURITY CALL DURING A MERGECAT OPERATION

PROBLEM DESCRIPTION:
For CA 1 clients when OCEOV is set to YES and an attempt is made to perform
a REPRO MERGECAT operation, without access to the data set names being
merged, it will fail with a security violation.

SYMPTOMS:
A security-violation on an individual file will prevent the IDCAMS procedure
from ending correctly.

IMPACT:
Cannot perform the MERGECAT operation.

CIRCUMVENTION:
A circumvention would be to disable the CA 1 check at OPEN and enable the
same call from OPEN itself. This can be done by changing OCEOV to NO in the
TMOOPTxx member of CA 1 options and setting the TAPEAUTHDSN=YES option in
DEVSUPxx member of SYS1.PARMLIB instead.