BPA0013E COMMAND CANCELLED BY USER SECURITY EXIT EXIT01
search cancel

BPA0013E COMMAND CANCELLED BY USER SECURITY EXIT EXIT01

book

Article ID: 47939

calendar_today

Updated On:

Products

Batch Processor

Issue/Introduction

Executing a Batch Processor strategy that abends and then requires restart processing fails with the following message:

 	UID AAAAAAAA IS NOT AUTHORIZED TO CHANGE AUTHID TO BBBBBBBB 	
 	BPA0013E: COMMAND CANCELLED BY USER SECURITY EXIT: EXIT01

Resolution

The BPA0013E message is caused by the following change:

With Database Management for Db2 for z/OS release r14 and onwards, there was a change to the default behavior of the Batch Processor EXIT01 processing.
Prior to Db2 tools r14, the default behavior was to allow any user to use the .AUTH command to switch to another id.

From r14 onwards, the default EXIT01 behavior is to not allow a user to use the .AUTH to switch to another
id UNLESS the relevant security definitions are in place in the clients external security (RACF/ACF2/TSS).

To use the default supplied EXIT01 (in hlq.CDBASRC), which is linked into BPLSEC (in hlq.CDBALOAD), you will also need to add the external security definitions.

(see Implementation Guide, Chapter 5 - Executing Product Specific Customization Tasks, section Value Pack Product Customization, sub-section How To Use The Delivered Security Exits)

You will also want to review TEC553160 for security examples to permit the .AUTH command in your security setup.

The .AUTH command that is being processed is the result of the .RESTART that is being done. Batch Processor (RBP) will generate an implicit .AUTH command on a restart if the current user is not the user who originally submitted the job. This is to have the restart execute under the authority of the original submitter, and requires that the submitter of the restarted job have authorization for executing .AUTH commands.

Solutions for this message include;

  • Original user submits the .RESTART processing

  • Customer to allow re-submitting user the ability to use .AUTH commands via the RBP security exit

  • Use RESTART OVERRIDE as the analysis can be rerun from the start

  • Using the BPID (from the .CONTROL statement) update the PTI.BPLOG_0203
    table changing the BPLOG_USERID to the resubmitting user-id.

  • The BATPROC parmlib member can be updated to specify AUTHERR (WARN)
    which will cause a BPA0164W warning message to be issued, but new submitter will be able to execute the restart.
    This will only work if the RBP Security exit EXIT01 returns an 8 return code, which is the default as provided.
Powered by Wolken Software