I received a S047 abend in ACF9C000 with the Compuware Abend-AID that appears to be related to APF authorization. What can be done to address this abend?
search cancel

I received a S047 abend in ACF9C000 with the Compuware Abend-AID that appears to be related to APF authorization. What can be done to address this abend?

book

Article ID: 50909

calendar_today

Updated On:

Products

ACF2 ACF2 - DB2 Option ACF2 for zVM ACF2 - z/OS ACF2 - MISC PanApt PanAudit

Issue/Introduction

Description:

The ACF2 SECTRACE utility can be used to verify that the abend is caused by a RACROUTE STATUS=ACCESS call in addition to the program that is making the call.

The SECTRACE can be set from the console as follows.

SECTRACE SET,ID=TEST,TRACE=ALL,FMT=DUMP,DEST=JOBLOB,TYPE=SAFP       
  nn CAS21200 SPECIFY RACROUTE PARAMETERS, CANCEL OR END            
r nn,REQUEST=AUTH,END                                
  nn CAS212210 CONTINUE SAF RACROUTE SPECIFICATIONS, CANCEL, OR END 
r nn,END                                                            
  nn CAS21100 CONTINUE SECTRACE SPECIFICATIONS, CANCEL, OR END      
r nn,END                                                            
CAS21110 SECTRACE SET ON 02.026 13:01:52 ID=TEST

The failing RACROUTE call for the Compuware Abend-AID product looks like:

SMFID= SYS1         TOD= 10:20:25.81    TRACEID= T250       USERID= USER01     
JOBNAME= T250BDX    ASID= 00AB          PGM= FDBMSPLU       CURR RB= FDBMSPLU
SFR/RFR= N/A        MODE= TASK          APF= NON-AUTHORIZED LOCKS= NONE      
RACROUTE REQUEST=AUTH,CLASS='DATASET',RELEASE=1.9,STATUS=ACCESS,             
         ATTR=READ,DSTYPE=M,ENTITY=('SYS1.DB2.DSNLOAD'),FILESEQ=0,        
         GENERIC=ASIS,LOG=ASIS,MSGSP=0,TAPELBL=STD,VOLSER='P3LB25',          
         WORKA=

To avoid the S047 abend, an ACF2 GSO SAFDEF can be coded to bypass the APF authorization check for the STATUS=ACCESS RACROUTE call.

Solution:

The RACROUTE STATUS=ACCESS call permits a user to interrogate security definitions (access and resource rules) to determine access levels for a user. No auditing is done for this request.

In order to maintain system integrity, ACF2 requires that a user be APF authorized to access security definitions. Because the Compuware Abend-AID program FDBMSPLU is not authorized, ACF2 abends the task with an S047 abend.

To accommodate this situation, ACF2 will allow the security administrator to define the specific calls for which the APF authorization check for STATUS=ACCESS will be bypassed.

Users who do not want to use this method should contact the vendor of the product and request that the STATUS=ACCESS call be made in an APF authorized environment.

The bypassing of the authorization check in ACF2 is done through use of the 'NOAPFCHK' keyword added to the GSO SAFDEF record. 'NOAPFCHK' will only be honored for STATUS=ACCESS calls. An example of the SAFDEF used for the Compuware Abend-AID product follows:

ACF
SET CONTROL(GSO)                                                    
INSERT SAFDEF.apf PROGRAM(FDBMSPLU) RB(FDBMSPLU) NOAPFCHK -            
       RACROUTE(REQUEST=AUTH,CLASS=DATASET,STATUS=ACCESS)               
F ACF2,REFRESH(SAFDEF)

Details on the ACF2 SAFDEF can be found in the ACF2 Security for z/OS Administrator Guide in Chapter 14: Maintaining Global System Options Records, section "Environments for SAF Calls (SAFDEF)".

Environment

Release:
Component: ACF2MS
Powered by Wolken Software