search cancel

$HASP708 Authorization Error in ACF2 when Endevor Alt ID is in place

book

Article ID: 214253

calendar_today

Updated On:

Products

ACF2 ACF2 - z/OS ACF2 - MISC

Issue/Introduction

The following error message is seen when trying to access an Endevor protected dataset in an ACF2 environment:

$HASP708 jobname xxxxxx        OPEN FAILED
RC=11 AUTHORIZATION FAILURE
DSNAME=ENDALTID.jobname.jobnumber.xxxxxxxx.?
IEC150I 913-74,IGG0199G,jobname,xxxxxx,xxxxxx

What is causing this error?

Resolution

ACF2 protects JES2 resources with the resource class JESSPOOL. The spool datasets that are defined for the job are owned by the userid assigned to the job. Endevor security utilizes an Alt ID (with a default LID of ENDALTID) for certain functions in an Endevor protected environment. During job processing, the user id for the JESSPOOL resource is switched to the Endevor Alt ID and if a user does not have access to the Endevor Alt ID's JESSPOOL resource, the job will fail with the $HASP message in the description above. 

The violation can be cleared by giving the user access to update the spool datasets owned by the Endevor Alt ID. Sample TSO ACF2 commands for this are as follows:

SET R(SPL)
RECKEY resource_key ADD(ENDALTID.- UID(user_uid) ALLOW)
F ACF2,REBUILD(SPL)

Note: To locate the high level qualifier of the JESSPOOL resource for the $KEY of the resource rule, turn the TRACE bit on for the user's logon id, re-create the error, and run the ACFRPTRV report. Performing a FIND for the ALTID LID will show you the fully qualified resource name to assist with rule writing.