Wrong userid validated against OPSBCPII.STOP.SRV
Article ID: 250506
Updated On:
Products
Issue/Introduction
We've installed HWS. When trying to stop OPSBCPII via MVS command 'P OPSBCPII', my userid HMTJ625 is suffering an ACF2 violation against the OPERCMDS class resource OPSBCPII.STOP.SRV and the stop is not executed, although I should have access.
Cfr below for the ACF2 violation record :
DATE TIME SOURCE JNAME LID NAME DISP REC SERV LOOKUP-KEY
PRE PST RMC INT FIN UID CPU MODULE KEY-MOD DSP-MOD REQUESTED RESOURCE
MLS USER-SECLABEL RSRC-SECLABEL MODE SRC RRC RSN
22.257 14/09 17.35.31.67 VNA20007 OPSBCPII HMTJ625 ...... NO-REC *VIO DEL ROPA-OPSBCPII
0 0 8 0 16 IINMDZOSHMTJ625 AC02 ACF9CAUT DIRECTRY - ROPA-OPSBCPII.STOP.SRV
SAF RESOURCE CLASS OPERCMDS
RESOURCE NAME: OPSBCPII.STOP.SRV
LOG STRING: STOP
The rules in ACF2 :
$KEY(OPSBCPII) TYPE(OPA)
DISPLAY.- UID(IINMDZOS) SERVICE(READ) ALLOW
STOP.SRV UID(IINMDZOS) ALLOW
A test command in ACF2 says it's allowed :
test opsbcpii
. rsrc('opsbcpii.stop.srv') lid(hmtj625) service(del)
THE FOLLOWING PARAMETERS ARE IN EFFECT:
DATE=14/09/22 TIME=1729 SOURCE=******** UID=IINMDZOSHMTJ625
LID=HMTJ625 ROLE=
SERVICE=(DELETE)
TARGET RESOURCE: ROPA OPSBCPII.STOP.SRV
VALIDATED RULE LINE FROM OPSBCPII TYPE OPA
STOP.SRV UID(IINMDZOS) ALLOW
RESULT: ACCESS WOULD BE ALLOWED
REASON: RESOURCE RULE
A sectrace shows a validation against userid OPSBCPII ???
SMFID= AC02 TOD= 17:35:31.67 TRACEID= HHHH USERID= OPSBCPII
JOBNAME= OPSBCPII ASID= 0163 PGM= CASRVCMD CURR RB= CASRVCMD
SFR/RFR= 8/8:0 MODE= TASK APF= AUTHORIZED LOCKS= NONE
SAFDEF= OPERCMDS GSO MODE= GLOBAL
RACROUTE REQUEST=AUTH,REQSTOR='CASRVOCA',SUBSYS='OPSBCPII',
CLASS='OPERCMDS',RELEASE=1.9,STATUS=NONE,ATTR=CONTROL,
DSTYPE=N,DECOUPL=YES,ENTITY=('OPSBCPII.STOP.SRV'),FILESEQ=0,
GENERIC=ASIS,LOG=ASIS,LOGSTR=('STOP'),MSGRTRN=YES,MSGSP=1,
TAPELBL=STD,UTOKEN=,WORKA=
UTOKEN DATA AREA FOLLOWS
0001C8BC +000 50018053 55545555 55555555 55555555 *&...............*
0001C8CC +010 55555555 55555555 55555555 55555555 *................*
0001C8DC +020 55555555 55555555 55555555 55555555 *................*
0001C8EC +030 B08094A7 A5A5A5A2 55555555 55555555 *..mxvvvs........*
0001C8FC +040 9D81B684 A3A7A015 9C9C8081 91BC83B7 *.a.dtx.....aj.c.*
When inserting an access for userid OPSBCPII (uid string = IINMDZOSOPSBCPII),
$KEY(OPSBCPII) TYPE(OPA)
DISPLAY.- UID(IINMDZOS) SERVICE(READ) ALLOW
STOP.SRV UID(IINMDZOS) ALLOW
- UID(SDIOPERA) LOG
then the stop succeeds.
Not sure this is a case for OPS support or ACF2 support.
Can you check what's going wrong ?
Environment
Release : 14.0
Component : OPS/MVS BCPII INTERFACE
Resolution
The userID issuing the command needs OPERCMDS authority as well as OPSMAIN.
Per the documentation, "the issuer of the MVS STOP command needs CONTROL access to the SAF resource OPERCMDS(stcname.STOP.SRV). For example, OPERCMDS(OPSBCPII.STOP.SRV). The OPS/MVS main address space (OPSMAIN by default) uses the MVS STOP command to stop the OPSBCPII STC, and therefore needs this SAF access.
We are clarifying that if the commands are issued by a user other than OPSMVS, then that USERID also needs authority to OPERCMDS in addition to OPSMAIN.
Feedback
