Debugging a SARATH92 AUTHORIZATION FAILED message in CA View
Article ID: 31325
Updated On:
Products
Issue/Introduction
A user attempts to view a sysout in View and receives a SARATH92 AUTHORIZATION FAILED message.
How can I determine the cause of the problem?
Environment
View, Deliver, 14.0
Cause
Security failure.
Resolution
An "Authorization Failed" message can appear in the following instances, when attempting to browse reports in CA View:
- If Deliver is used, it may be due to a Report Definition, with Distribution IDs with setting of "Y" for RVIEW.
- The "Y" setting indicates a user has restricted viewing privileges. A setting of "N" will lift the restriction.
- If there is a customized SARSECUX exit in use:
- The DEFAULT size of the CA provided vanilla exit is 0048. If the size of the SARSECUX module in your CVDELOAD library is different, it's been modified.
- Review the coding of the exit, as a modified exit may be keeping the security from working properly.
- If received when using ROSCOE and RACF:
- See if the failure can be repeated when accessing the same report through TSO.
- If the failure is repeated, it could be due to a modified SARUSRUX exit. Review the coding of the exit.
- Review the SARINIT parms SECID= and SECURITY= to determine what security function CA View is using.
- If CA View is configured with SECURITY=EXTERNAL, check the specific external security rules in use and applied to the users profile.
- If there was a change in a user's security profile:
- It could be that the user does not have the proper level of access. Even with a report browse, a user is making an update to the database.
- Review the profile, to determine the nature of the change that lost any security access.
- See Additional Information section of this article.
- For situation analysis, for a short time set SARINIT FEATURE=1, for security diagnostics.
If an "Authorization Failed" message appears, you will see the following diagnostic messages:
SARATH92 AUTHORIZATION FAILED userid UNDER interface RC=xx.xx.xx
SARATH92 CLASS=class ENTITY=resource entity
Reason: Userid is not authorized to access the requested resource for the specified CLASS and ENTITY value.
Action: Consult with your security administrator or systems programming group to determine the reason why the authorization was not granted.
Additional Information
SECID = Is the first node of a security rule. This parameter specifies a one- to eight-character identifier that prefixes the resource name for external security. (Default is SECID=VIEW).
Security CLASS = CHA1VIEW
ACCESS LEVEL = Read, Update, Control, Alter
RESOURCE TYPE = There are 17 resource types that are used as the second node of a security rule:
Resource Resources
Type Protected
---------------------------------------------------
ADMIN Content/Web Viewer Administrator
BANR Banner page members
DBAS SARDBASE functions
DEV Device definition (DEF DEV command)
DIST Distribution definition (DEF DIST command)
FILT Filter definitions (DEF FILTER command)
GROUP Content/Web Viewer repository groups
IDXN Index name
IDXV Index value
JOB Job
NOTE Annotations and bookmarks
PANL Online panel members
REPT SYSOUTs/Reports
RAPS All pages of a SYSOUT/Report
SYS SYSOUT definition (DEF SYS command)
USER User IDs (DEF USER command)
VIEW Logical Views
- The following CA View native security rules can be used for browsing reports:
secid.REPT.*
secid.VIEW.*
secid.RAPS.*
- The above format would be used, in constructing a rule, regardless of the security package used.
- Review rules similar to the above, to make sure that they have been entered correctly.
More detailed information is provided in the View documentation under the section External Security
Feedback
