How do I address the violation message ACF04056 ACCESS TO RESOURCE SYSREXX.AXRUSER TYPE RSUR BY AXRUSER NOT AUTHORIZED that occur doing an IPL?

book

Article ID: 3930

calendar_today

Updated On:

Products

CA ACF2 CA ACF2 - DB2 Option CA ACF2 for zVM CA ACF2 - z/OS CA ACF2 - MISC CA PanApt CA PanAudit

Issue/Introduction

During the IPL of my z/OS system I get the following ACF2 messages:

ACF04056 ACCESS TO RESOURCE SYSREXX.AXRUSER TYPE RSUR BY AXRUSER NOT AUTHORIZED

IEF196I ACF04056 ACCESS TO RESOURCE SYSREXX.AXRUSER TYPE RSUR BY

IEF196I AXRUSER NOT AUTHORIZED

AXR0111I AXRUSER VALUE OF AXRUSER IS REJECTED BY RACROUTE REQUEST=AUTH.

RACROUTE (SAF) RETCODE= 8, RACF RETCODE= 8, RACF RSNCODE= 0.

 

ANY SUBSEQUENT USE OF AXRUSER WILL BE REJECTED.

Environment

Release: ACF2..001AO-16-ACF2
Component:

Resolution

SYSREXX is the z/OS component that lets you execute REXX execs outside of the TSO/E environment. It's started task is AXR.

The SYSREXX documentation includes these RACF statements:

RDEFINE SURROGAT SYSREXX.AXRUSER UACC(NONE)

SETROPTS GENERIC (SURROGAT) REFRESH (<userid>)

PERMIT SYSREXX.AXRUSER CL(SURROGAT) ACCESS(ALTER) ID(<userid>)

 

The ACF2 equivalent statements are:

ACF

SET RESOURCE(SUR)

$KEY(SYSREXX) TYPE(SUR)

AXRUSER UID(UID string for userid) SERVICE(ADD) ALLOW

 

Alternatively, the rule key can be defined to include the entire resource name:

$KEY(SYSREXX.AXRUSER) TYPE(SUR)

UID(UID string for userid) SERVICE(ADD) ALLOW

 

(The inclusion of the SERVICE keyword is optional.)

The SUR resource type must be resident so ensure R-RSUR is in your INFODIR record.

Issue the SHOW RESIDENT command. If RSUR is not displayed in the output, enter these ACF commands to add it:

SET CONTROL(GSO)

CHANGE INFODIR TYPES(R-RSUR) ADD

F ACF2,REFRESH(INFODIR)

 

To activate the new rule:

 

F ACF2,REBUILD(SUR)