$HASP690 SOURCE OF COMMAND HAS IMPROPER AUTHORITY, received when issuing JES2 command through the internal reader in BATCH.

There is neither Top Secret messages nor TSS violations reported.

When JES2 commands are submitted through an Internal Reader, the command level is not controlled by the jobclass. JES2 commands must be outside of any job submitted through the internal reader. The command level is controlled by the definition of the internal reader in the INTRDR statement in the JES2 parms

When JES2 encounters a JES2 command within the jobstream entered through an internal reader, it does call the security product to see if the command is allowed.

The only time the old AUTH levels from the INTRDR statement will be used is if this check gets RC=04, meaning the resource is not protected.

To obtain an RC=4 either the resource is not defined to TSS, i.e. not owned, or a PERMIT is found with ACTION(PASSWORD).

Example:

A permit like OPERCMDS(JES2.) ACCESS(ALL) ACTION(PASSWORD) will return an RC=4

ACTION(PASSWORD) means, if the call would otherwise end in RC=0, the return code is changed to RC=4. It is ACTION(PASSWORD) because if the resource class is DATASET, the return code of 4 may allow the operating system to check the PASSWORD dataset to see if the dataset being opened has a password. But what ACTION(PASSWORD) really does is change the return code to 4.

So, in summary, the message indicates a problem with the AUTH levels as defined in the INTRDR statement. OPERCMDS will override these levels, unless the OPERCMDS check ends in RC=04. The check will end in RC=04 if the best match allows access but includes ACTION(PASSWORD) (or, of course, if the resource is not owned).