In DMLO, am receiving E2031 NOT AUTHORIZED FOR SUBSCHEMA ACCESS. How can I correct this error?

book

Article ID: 38640

calendar_today

Updated On:

Products

CA IDMS CA IDMS - Database CA IDMS - ADS

Issue/Introduction

Question:

In the DMLO Main Menu screen, after entering my USER ID; PASSWORD and SUBSCHEMA, I received message E2031 NOT AUTHORIZED FOR SUBSCHEMA ACCESS. How can I correct this error?

 

Answer:

Centralized CA IDMS security facility supersedes any validation by CA IDMS DMLO. That is, if access to a dictionary or database is prohibited by the central security facility, you cannot use CA IDMS DMLO to bypass or override that level of security

The E2031 NOT AUTHORIZED FOR SUBSCHEMA ACCESS message means that DMLO security is turned on and the user is not registered for the subschema. Program DBMSDMLO controls DMLO security and there are three different levels of security.

First, determine what DMLO Level security is on and then second, determine whether the User is registered for the subschema.

First, issue a DCUF to that DICTIONARY.

Then go into IDD in the dictionary that received the E2031 message and issue the following commands: 
- SIGNON DICTNAME dictionary-name 
- DISPLAY PROGRAM DBMSDMLO. 
- DISPLAY PROGRAM DBMSDMLO VER HIGHEST. 

If you had Level 2 security it would be DBMSDMLO Version 2. 

DISPLAY PROGRAM DBMSDMLO VERSION IS 2.        

PROGRAM DESCRIPTION is 'SR,SU,PR,PU,ER,EU'.

Also in IDD, display the User to see whether they have access to DMLO.  If IDD SECURITY is ON in the dictionary, your User must be assigned IDD authority through the AUTHORITY clause of the USER statement. Use the command ‘DIS OPTIONS FOR SESSION.’ or ‘DIS OPTIONS FOR DICTIONARY’ to verify whether SECURITY FOR IDD IS ON. 
(see IDD Reference Guide, Chapter 5 Entity-Type Syntax, USER on page 389)). 

Here's an example: 
DISPLAY USER NAME IS DAPABC . 
*+ ADD 
*+ USER NAME IS DAPABC 
*+ DATE CREATED IS 06/04/09 
*+ PREPARED BY USERABC 
*+ FULL NAME IS 'user name' 

*+USER DESCRIPTION IS 'SR,SU'.(change this to match what's in program DBMSDMLO)

*+ IDD SIGNON IS ALLOWED 
*+ SIGNON PROFILE IS PROFMOD VERSION IS 1 LANGUAGE IS DC 
*+ AUTHORITY FOR UPDATE IS ( 
*+ ALL ) 
*+ DEFAULT FOR PUBLIC ACCESS IS ALL 
*+ CULPRIT OVERRIDES ARE ALLOWED 
*+ OLQ QFILE IS ALLOWED

.
To correct this; either turn DMLO security off or in IDD issue a 
MOD USER <name> INCLUDE ACCESS TO SUBS <name> SCHEMA <schema> V <version> ; 

To disable DMLO security, make sure that version 1 exists of program DBMSDMLO, in this 
dictionary, with no other versions. 

Additional Information:

CA IDMS Release 17.1 Installation and Maintenance Guide

Appendix G: CA IDMS DMLO Implementations

CA IDMS DMLO Security

The three levels of security available to CA IDMS DMLO users are as follows:

- Level 1 security indicates that a security check is not needed. Any user who signs on to CA IDMS DMLO and specifies a valid subschema for the requested dictionary is permitted to access the database. Level 1 is the default security level. 
- Level 2 security indicates that CA IDMS DMLO verifies that the user and password combination specified during CA IDMS DMLO sign-on exist in the requested dictionary. If they do, the user can access any valid subschema in that dictionary. 
- Level 3 security indicates that CA IDMS DMLO not only validates the user and password, but also verifies that the user has authorization to access the requested subschema. The user must be registered for access to the requested subschema in the requested dictionary. 

Use the following syntax to register for access to a given subschema:

(ADD/MOD) USER userid PASSWORD pswd

INCLUDE ACCESS TO SUBSCHEMA subname OF SCHEMA schname V vers-nbr.

For both Level 2 security and Level 3 security, special consideration is given to situations where the user ID used to sign on to the CA IDMS DMLO session is the same as the user ID used to sign on to the CA IDMS/DC system. In this case, the password is not checked even though the user must still be defined to the requested dictionary. Non-validation of the password conforms to the processing done by the dictionary task.

To implement security for CA IDMS DMLO, you must register program DBMSDMLO with a version number of 1, 2, or 3. The version number corresponds to the desired security level. Use the following syntax to add this program:

ADD PROGRAM NAME IS DBMSDMLO VERSION IS n.

You must register DBMSDMLO in each dictionary for which security beyond the default is required.

TEC1073044 How to implement DMLO security, using program DBMSDMLO?


TEC486103 DMLO receiving 'E4502 Ready Usage-Mode Security Violation'.

 
CA IDMS Release 18.5 IDD DDDL Reference Guide,

Chapter 3: DDDL Compiler Options, DISPLAY/PUNCH OPTIONS Statement

Chapter 5: Entity-Type Syntax, USER

 

RI75574 (18.5) DMLO IMPLEMENTATION DROPPED FROM MANUAL

Information on DML Online implementation was dropped from the    

CA IDMS Installation and Maintenance Guide for z/OS.  It is      

present in the CA IDMS Installation and Maintenance Guide - for  

z/VSE as Appendix D and E.                            

Refer to Appendix D and Appendix E of the CA IDMS Installation   

and Maintenance Guide for z/VSE for the required information.

Environment

Release: IDADSO00100-18.5-ADS-for CA-IDMS
Component: