TSS7100E 006 J=jobname A=acid T=N/A F=STC

Products

Top Secret

Issue/Introduction

Receiving error message on the console log:

TSS7100E 006 J=startedtask A=acid T=N/A F=STC - Facility Not Authorized

TSS7160E Facility <STC> Not Authorized for Your Use

for user signing on to started task.

Environment

Release : 16.0

Component : CA Top Secret for z/OS

Cause

If a MASTFAC is not defined for a started task, then it will pick up the STC facility by default. But, since a started task does not (and should not) have access to the STC acid, it will (or should) get the error message: 06 = FACILITY < > NOT AUTHORIZED.

Resolution

SUMMARY INSTRUCTIONS:
0. Add 'myproc' started task JCL member to: SYS1.PROCLIB(myproc)
(This is usually supplied by the system programmer.)

1. Create a master facility to hold the program and to facilitate users to run it.
1a. Add FAC(myfac) parameters to PARMFILE, active after next IPL.
FAC(user#=NAME=myfac)
FAC(myfac=PGM=myproc)
FAC(myfac=MODE=warn)
1b. Add FAC(myfac) parameters dynamically, active until next IPL, but effective immediately.
TS MODI FAC(user#=NAME=myfac)
TS MODI FAC(myfac=PGM=myproc)
TS MODI FAC(myfac=MODE=warn)

2. Create (or use existing) regionID with NOPW FAC(STC) MASTFAC(myfac)
TS CRE(regionID) TYPE(USER) DEPT(dept) NAME('myproc regionID') PASS(NOPW,0)
FAC(STC) MASTFAC(myfac)

3. Assign procname and its regionID to the STC table.
TS ADD(STC) PROCNAME(myproc) ACID(regionID)

4. Grant access to the facility to approved users so they can run the started task.
TS ADD(ALL|profile|user) FAC(myfac)

5. Restart the started task to activate the above changes.

Additional Information

DETAILED INSTRUCTION:
0. Add 'myproc' Started Task JCL member to: SYS1.PROCLIB(myproc).
(This is usually supplied/done by the system programmer.)

1. Create a master facility to hold the program and to facilitate users to run it.
1a. Add FAC(myfac) parameters to PARMFILE, active after next IPL.
FAC(USER151=NAME=myfac) - rename the facility to something more site specific.
FAC(myfac=PGM=myproc) - match pgm name in SYS1.PROCLIB(myproc)
FAC(myfac=MODE=fail) - change mode to desired setting
FAC(myfac=RES) - change other settings
1b. Add FAC(myfac) parameters dynamically, active till next IPL (but effective immediately).
TS MODI fac(all) - show all active facilities
TS MODI FAC(user151) - show user151
- if you get an error message: ... no such facility name.
then it is unavailable and already taken.
- if you get details like INITPGM=***, then it's available.
INITPGM is how it’s displayed in TSS MODIFY FAC(fac) output.
INITPGM is not valid in the PARMFILE. It has to be PGM.
TS MODI FAC(user151=name=myfac) - rename, same as in parmfile.
TS MODI FAC(myfac) - show myfac
TS MODI FAC(myfac=pgm=myproc) - match pgm name in SYS1.PROCLIB(myproc), same as in parmfile.
TS MODI FAC(myfac=mode=fail) - change mode to desired setting.
TS MODI FAC(myfac=RES) - change other settings.
NOTES:
The SYS1.PROCLIB contains started tasks, including the TSS member.
The SYS1.PROCLIB(TSS)'s PARMFILE DD shows the DSN of the PARMFILE:
//PARMFILE DD DISP=SHR,FREE=CLOSE,DSN=SYS2.PARMLIB(TSSPRMF0)
Thus SYS2.PARMLIB(TSSPRMF0) is the PARMFILE.
-
There are 222 pre-defined facilities (user0-user221) in the CA Top Secret Control Options File. With a little trial and error, you can easily find an unused available one to define to your PARMFILE. For example, open the PARMFILE and on the command line, type: FIND 'user151'. If FIND 'user151' returns "No CHARS 'USER151' found", then 'user151' is available. Next, find a logical place in your PARMFILE to add the parameters you want:
-
To ensure conformity with your site specific security requirements, use your site's existing facilities as a guide when creating new facilities.

2. Create (or use existing) regionID with non-expiring password, and access to FAC(STC) and MASTFAC(myfac).
TS CRE(regionID) TYPE(USER) DEPT(dept) NAME('proc regionID') PASS(NOPW,0)
FAC(STC) MASTFAC(myfac)
NOTES:
The regionID of TYPE(USER) must be assigned both FAC(STC) and MASTFAC(myfac).
The regionID needs the STC facility in order to access the STC facility.
The regionID needs the 'myfac' master facility to access the 'myproc' started task.
Assigning other acids the mastfac enables them to also access the started task,
which runs under the name of the regionID and under the facilitation of the facilities.
-
If a MASTFAC is not defined for a started task like 'myproc', then 'myproc' will pick up the STC facility by default. But, since a started task like 'myproc' does not (and should not) have access to the STC acid, it will (or should) get the error message: 06 = FACILITY < > NOT AUTHORIZED. To address this error, define a MASTFAC for the started task, and fulfill the another missing steps listed in this How to Guide.

3. Define procname (started task) and its owner regionID to the STC table.
TS ADD(STC) PROCNAME(myproc) ACID(regionID)
NOTES:
The STC record associates a region-ACID with a started task. This solves the problem of started tasks not having jobcards on which to enter userIDs.
-
To remove a started task from the STC table, remove via the procname not the regionID:
For example, if: TS LIS(stc) shows: STC = myproc ACID = regionID
then use this command to remove it: TS REM(STC) PROCN(myproc)
and then remove the unused FAC(myfac) parameters from the PARMFILE.

4. Grant access to the master facility to approved users;
TS ADD(all|prof|user) FAC(myfac)
NOTES:
Now those users can start the 'myproc' started task in the consol:
option 6; SDSF; log; [consol:] "s/ myproc"

Restart the started task to activate the above changes.

REFERENCES:

1. Defining a New Facility to the Facilities Matrix

2-3. Assigning a MASTFAC Facility to a Multi-User Address Space

3. Define Started Tasks

3-4. Define an O/S Started Task to the STC Record