After applying the CARS2110 maintenance–which includes Solution SO15825, titled "USERS WITH NO AUTHORITY IN SYSTEM SHOW AS UPDATE"–certain Ideal users received an error message:
IDADSVCS01E - Insufficient level of authorization for the requested function
Another message could be:
IDADSLSP06E - SYS xxx not valid, SYSTEM short id is not defined
The users were previously authorized to Ideal systems using DDUPDATE to grant different access levels, but displaying the user in Ideal showed no access to the system.
Another user was unable to run their login member, and they had to first issue a SEL SYS xxx command before running the member.
Recycling the CICS region and the MUF had no effect.
What is the cause of this error, and how is it corrected?
Ideal users who have a system authorization created using DDUPDATE with an invalid 1003 DATA transaction are successfully added to the system, but because the 1003 DATA transaction was not defined correctly, users are not granted the correct level of access to the desired system.
Ideal users can be authorized to Ideal systems either through online panels or through batch DDUPDATE transactions. This article does not apply to users who were authorized through online panels, but only through DDUPDATE processing.
Applying Solution SO15825, titled "USERS WITH NO AUTHORITY IN SYSTEM SHOW AS UPDATE," corrected a problem with certain Ideal users who received Update access to Ideal systems where they were supposed to have no access. Another result of applying this solution is that some users who were previously authorized (through DDUPDATE) before this solution now showed no access afterward. The Ideal system was shown on the DISPLAY USER screen, but there was no display of the access attributes that should have been in place.
First, here is an explanation of how users are added through DDUPDATE.
When you define user access levels added through Datadictionary, you are required to have a set of transactions with these records:
Here is an example set of transactions to grant access to the Ideal system called ACCOUNT-MGMT:
-UPD PERSON,JOE-SMITH (PROD)
1003 RELT,SYSTEM,ACCOUNT-MGMT (PROD),PER-SYS-ACCESS
1003 DATA,$IDY
-END
Issue: Invalid 1003 DATA Format Preventing User Access
The 1003 DATA transaction requires a specific format: it must begin with the literal string "$ID" (highlighted in blue), followed by a one-character hexadecimal value (shown as "Y" highlighted in yellow) that defines access permissions. Note that "$ID" is a mandatory literal string, not a system short name. This 4-byte value is stored in the Datadictionary relationship record.
If the 1003 DATA value does not start with "$ID," Ideal will not recognize it as an authorization setting, resulting in the user being denied access to the system, regardless of the subsequent bit settings. For more details about this process, refer to the documentation section "Using Batch to Maintain Ideal for Datacom User Definitions" in the Datacom Tools.
How Ideal Processes Application Access:
When a user attempts to run a program, Ideal checks the relationship record to verify the user's access level. If "$ID" is missing from the 1003 DATA value, Ideal determines the user has no access, triggering an application error.
Solution for Fixing Invalid Data:
The JCL also allows for reporting, file printing, and backups of the Datadictionary before making updates. It supports processing with either SQL or Dataquery (if SQL is not installed).
Steps to Use the JCL:
In some cases where more than 30,000 records were incorrectly added due to programming errors, this process quickly resolved the problem and eliminated the application errors.
Recommendation: First run the job in REPORT mode to evaluate the extent of the problem, then proceed with the updates as necessary.
As always, please contact Broadcom support for Datacom if you have further questions.