OPERCMDS AND $HASP690E ERROR
search cancel

OPERCMDS AND $HASP690E ERROR

book

Article ID: 48553

calendar_today

Updated On:

Products

Cleanup Datacom DATACOM - AD CIS COMMON SERVICES FOR Z/OS 90S SERVICES DATABASE MANAGEMENT SOLUTIONS FOR DB2 FOR Z/OS COMMON PRODUCT SERVICES COMPONENT Common Services CA ECOMETER SERVER COMPONENT FOC Easytrieve Report Generator for Common Services INFOCAI MAINTENANCE IPC UNICENTER JCLCHECK COMMON COMPONENT Mainframe VM Product Manager CHORUS SOFTWARE MANAGER CA ON DEMAND PORTAL CA Service Desk Manager - Unified Self Service PAM CLIENT FOR LINUX ON MAINFRAME MAINFRAME CONNECTOR FOR LINUX ON MAINFRAME GRAPHICAL MANAGEMENT INTERFACE WEB ADMINISTRATOR FOR TOP SECRET Xpertware Top Secret Top Secret - LDAP Top Secret - VSE

Issue/Introduction

Description:

We receive $HASP690E messages, when issuing JES2 command through the internal reader in BATCH.

There is neither TSS messages nor TSS violations reported.

Solution:

For a JES2 command submitted through an internal reader, the command level is not controlled by thejobclass (as JES2 commands must be outside of any job submitted through the internal reader) but by the definition of the internal reader (the INTRDR statement in the JES2 parms).

When JES2 encounters a JES2 command within the jobstream entered through an internal reader, it does call the security product to see if the command is allowed.

The only time the old auth levels from the INTRDR statement will be used is if this check gets RC=04, meaning the resource is not protected.

To obtain an RC=4 either the resource is not defined to TSS, i.e. not owned, or a PERMIT is found with ACTION(PASSWORD).

Example:

A permit like OPERCMDS(JES2.) ACCESS(ALL) ACTION(PASSWORD) will return an RC=4

ACTION(PASSWORD) means, if the call would otherwise end in RC=0, the return code is changed to RC=4. It is ACTION(PASSWORD) because if the resource class is DATASET, the return code of 4 may allow the operating system to check the PASSWORD dataset to see if the dataset being opened has a password. But what ACTION(PASSWORD) really does is change the return code to 4.

So, in summary, the message indicates a problem with the AUTH levels as defined in the INTRDR statement.OPERCMDS will override these levels, unless the OPERCMDS check ends in RC=04. The check will end in RC=04 if the best match allows access but includes ACTION(PASSWORD) (or, of course, if the resource is not owned).

Environment

Release: TOPSEC00200-15-Top Secret-Security
Component: