IEE345I appears when issuing Operator commands
search cancel

IEE345I appears when issuing Operator commands

book

Article ID: 26259

calendar_today

Updated On: 05-07-2025

Products

ACF2 ACF2 - z/OS ACF2 - MISC

Issue/Introduction

A MODIFY or VARY operator console command z/OS fails with:

 
IEE345I VARY CN AUTHORITY INVALID, FAILED BY MVS
 

or


IEE345I MODIFY AUTHORITY INVALID, FAILED BY MVS

What is needed to allow this to work?

Cause

This is the result of a RACROUTE REQUEST=AUTH,CLASS=OPERCMDS calls from the operating system. ACF2 by default ignores all operator command validation. ACF2 will reply with a return code of 4 to the caller with this default. Per the IBM Racroute Manual, a return code of 4 means the specified resource is not protected by security. Most applications generally allows the resource with this return code. In some cases, the application will fail the resource with a return code of 4. The operating system is failing the return code of 4 in this case.

Resolution

To get this to work, sites need to override the default SAFDEF record that ACF2 supplies. The override can be done one of two ways.

The first is to change the return code to 0 (zero). This would allow any operator command to be allowed. Here is the SAFDEF that would be needed:

TSO ACF
SET CONTROL(GSO)
INSERT SAFDEF.OPR ID(OPR) FUNCRET(0) RETCODE(0) MODE(IGNORE) RACROUTE(REQUEST=AUTH,CLASS=OPERCMDS) 
F ACF2,REFRESH(SAFDEF)

The recommended way to correct this from a security standpoint, would be to validate operator commands. Be sure to write rules first. Here is an example of a generic rule:

$KEY(********) TYPE(OPR)
VARY.- UID(uid of system programmers) ALLOW
VARY.- UID(uid of operators) ALLOW
- UID(uid of operators) ALLOW

Alternatively, the MVS commands and JES2 commands can be separated. Here is an example of that:

$KEY(MVS) TYPE(OPR)
VARY.- UID(uid of system programmers) ALLOW
VARY.- UID(uid of operators) ALLOW
MODIFY.- UID(uid of operators) ALLOW
- UID(uid of operators) ALLOW
 
$KEY(JES2) TYPE(OPR)
- UID(uid of operators) ALLOW

The Techdoc 'Protect Operator Commands' can be used as reference.

The default type code for operator commands is SAF. To change the type code to the rule example, enter the following:

ACF
SET CONTROL(GSO)
INSERT CLASMAP.OPR RESOURCE(OPERCMDS) RSRCTYPE(OPR)
F ACF2,REFRESH(CLASMAP)

If a masked key is used, an INFODIR change is needed.

ACF
SET CONTROL(GSO)
CHANGE INFODIR TYPRS(R-ROPR) ADD
F ACF2,REFRESH(INFODIR)
F ACF2,REBUILD(OPR)

The rules are now in storage and ready for the change to validating operator commands.

ACF 
SET CONTROL(GSO)
INSERT SAFDEF.OPR ID(OPR) MODE(GLOBAL) RACROUTE(REQUEST=AUTH,CLASS=OPERCMDS) REP
F ACF2,REFRESH(SAFDEF)
Powered by Wolken Software