Resolving errors with Ideal users created by DDUPDATE batch process
search cancel

Resolving errors with Ideal users created by DDUPDATE batch process

book

Article ID: 238512

calendar_today

Updated On:

Products

Datacom Ideal

Issue/Introduction

After applying the CARS2110 maintenance–which includes Solution SO15825, titled "USERS WITH NO AUTHORITY IN SYSTEM SHOW AS UPDATE"–certain Ideal users received an error message:

IDADSVCS01E - Insufficient level of authorization for the requested function

Another message could be:

IDADSLSP06E - SYS xxx not valid, SYSTEM short id is not defined

The users were previously authorized to Ideal systems using DDUPDATE to grant different access levels, but displaying the user in Ideal showed no access to the system.

Another user was unable to run their login member, and they had to first issue a SEL SYS xxx command before running the member.

Recycling the CICS region and the MUF had no effect.

What is the cause of this error, and how is it corrected?

 

Cause

Ideal users who have a system authorization created using DDUPDATE with an invalid 1003 DATA transaction are successfully added to the system, but because the 1003 DATA transaction was not defined correctly, users are not granted the correct level of access to the desired system.

Resolution

Ideal users can be authorized to Ideal systems either through online panels or through batch DDUPDATE transactions. This article does not apply to users who were authorized through online panels, but only through DDUPDATE processing.

Applying Solution SO15825, titled "USERS WITH NO AUTHORITY IN SYSTEM SHOW AS UPDATE," corrected a problem with certain Ideal users who received Update access to Ideal systems where they were supposed to have no access. Another result of applying this solution is that some users who were previously authorized (through DDUPDATE) before this solution now showed no access afterward. The Ideal system was shown on the DISPLAY USER screen, but there was no display of the access attributes that should have been in place.

First, here is an explanation of how users are added through DDUPDATE.

When you define user access levels added through Datadictionary, you are required to have a set of transactions with these records:

  • -UPD ... This identifies the user to whom the system access is added
  • 1003 RELT ... This creates a relationship from the user to the Ideal system using the long system name
  • 1003 DATA ... This defines the access level to the above Ideal system for the user
  • 1003 RELT ... This creates another relationship from the user to another Ideal system
  • 1003 DATA ... This defines the access level for the above system
  • . . .  <repeat for every system the user needs>
  • -END

Here is an example set of transactions to grant access to the Ideal system called ACCOUNT-MGMT:

-UPD PERSON,JOE-SMITH    (PROD)
1003 RELT,SYSTEM,ACCOUNT-MGMT (PROD),PER-SYS-ACCESS  
1003 DATA,$IDY
-END

Issue: Invalid 1003 DATA Format Preventing User Access

The 1003 DATA transaction requires a specific format: it must begin with the literal string "$ID" (highlighted in blue), followed by a one-character hexadecimal value (shown as "Y" highlighted in yellow) that defines access permissions. Note that "$ID" is a mandatory literal string, not a system short name. This 4-byte value is stored in the Datadictionary relationship record.

If the 1003 DATA value does not start with "$ID," Ideal will not recognize it as an authorization setting, resulting in the user being denied access to the system, regardless of the subsequent bit settings. For more details about this process, refer to the documentation section "Using Batch to Maintain Ideal for Datacom User Definitions" in the Datacom Tools.

How Ideal Processes Application Access:

When a user attempts to run a program, Ideal checks the relationship record to verify the user's access level. If "$ID" is missing from the 1003 DATA value, Ideal determines the user has no access, triggering an application error.

Solution for Fixing Invalid Data:

  • For individual users, you can manually update their access using standard online procedures.
  • For bulk updates, a batch process is recommended. The attached JCL file helps with this by:
    • Listing users with invalid 1003 DATA values.
    • Reworking the existing data into the correct DDUPDATE transactions.
    • Running the DDUPDATE program to correct the relationship records.

The JCL also allows for reporting, file printing, and backups of the Datadictionary before making updates. It supports processing with either SQL or Dataquery (if SQL is not installed).

Steps to Use the JCL:

  1. Run with RUNTYPE=REPORT to assess the scope of the issue.
  2. Limit the number of records or select up to four users for manual verification before running the process across the entire system.

In some cases where more than 30,000 records were incorrectly added due to programming errors, this process quickly resolved the problem and eliminated the application errors.

Recommendation: First run the job in REPORT mode to evaluate the extent of the problem, then proceed with the updates as necessary.

Additional Information

As always, please contact Broadcom support for Datacom if you have further questions.

Attachments

1667331423957__DD-Ideal Intersection (EN).txt get_app