A user attempts to view a sysout in View and receives a SARATH92 AUTHORIZATION FAILED message.
How can I determine the cause of the problem?
View, Deliver, 14.0
An "Authorization Failed" message can appear in the following instances, when attempting to browse reports in CA View:
- If Deliver is used, it may be due to a Report Definition, with Distribution IDs with setting of "Y" for RVIEW.
- The "Y" setting indicates a user has restricted viewing privileges. A setting of "N" will lift the restriction.
- If there is a customized SARSECUX exit in use:
- The DEFAULT size of the CA provided vanilla exit is 0048. If the size of the SARSECUX module in your CVDELOAD library is different, it's been modified.
- Review the coding of the exit, as a modified exit may be keeping the security from working properly.
- If received when using ROSCOE and RACF:
- See if the failure can be repeated when accessing the same report through TSO.
- If the failure is repeated, it could be due to a modified SARUSRUX exit. Review the coding of the exit.
- Review the SARINIT parms SECID= and SECURITY= to determine what security function CA View is using.
- If CA View is configured with SECURITY=EXTERNAL, check the specific external security rules in use and applied to the users profile.
- If there was a change in a user's security profile:
- It could be that the user does not have the proper level of access. Even with a report browse, a user is making an update to the database.
- Review the profile, to determine the nature of the change that lost any security access.
- See Additional Information section of this article.
- For situation analysis, for a short time set SARINIT FEATURE=1, for security diagnostics.
If an "Authorization Failed" message appears, you will see the following diagnostic messages:
SARATH92 AUTHORIZATION FAILED userid UNDER interface RC=xx.xx.xx
SARATH92 CLASS=class ENTITY=resource entity
Reason: Userid is not authorized to access the requested resource for the specified CLASS and ENTITY value.
Action: Consult with your security administrator or systems programming group to determine the reason why the authorization was not granted.
SECID = Is the first node of a security rule. This parameter specifies a one- to eight-character identifier that prefixes the resource name for external security. (Default is SECID=VIEW).
Security CLASS = CHA1VIEW
ACCESS LEVEL = Read, Update, Control, Alter
RESOURCE TYPE = There are 17 resource types that are used as the second node of a security rule:
ADMIN Content/Web Viewer Administrator
BANR Banner page members
DBAS SARDBASE functions
DEV Device definition (DEF DEV command)
DIST Distribution definition (DEF DIST command)
FILT Filter definitions (DEF FILTER command)
GROUP Content/Web Viewer repository groups
IDXN Index name
IDXV Index value
NOTE Annotations and bookmarks
PANL Online panel members
RAPS All pages of a SYSOUT/Report
SYS SYSOUT definition (DEF SYS command)
USER User IDs (DEF USER command)
VIEW Logical Views
- The following CA View native security rules can be used for browsing reports:
- The above format would be used, in constructing a rule, regardless of the security package used.
- Review rules similar to the above, to make sure that they have been entered correctly.
More detailed information is provided in the View documentation under the section External Security