Discussion:
Conversion to PDSE
(too old to reply)
Jorge Garcia
2012-09-12 08:05:45 UTC
Permalink
Hello:

Last week we've migrated some PDS to PDSE. Two weeks ago we've applied the ptfs in II14459: Z/OS DFSMS 1.10 HDZ1A10 CURRENT PDSE MAINTENANCE.
After the migration is completed, the users notify us that the copys procedures between environments cancel with
ICH418I CONDITIONAL ACCESS LIST FOR DATA SET dataset DID NOT GRANT AUTHORITY TO PROGRAM(S): IEBCOPY

The target library always is a PDSE and the IN library could be a PDS or a PDSE. We've included group ID procedure in the IEBCOPY RACF PROGRAM class access list and the procedure works fine. If we execute the procedure between PDS's we don't need any change in our RACF IEBCOPY program class.

For the migration we've read the Redbook PDSE extended usage guide and there isn't any mention about changes in RACF access.

Any help appreciate

Jorge Garcia Juanino
Gestor de servicio sistemas z/OS
DGTP – DIAC – Area servicios de CPD
MAPFRE
C/ Orduña, 1 (2º Planta)
28034 Madrid
Tfno.: 91 581 27 34 – Extension interna: 412734
Movil: 618333559
***@mapfre.com

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Jorge Garcia
2012-09-12 08:13:19 UTC
Permalink
We've attach more information:

The IEBCOPY sysout displays:

IGW01001T ABEND 913-00000038 IN MODULE ???????? AT OFFSET ????
IEB1130E A TERMINATING MESSAGE FROM PDSE PROCESSING APPEARS ABOVE -- DIAGNOSTIC INFORMATION IS X'28010001'

We find the OA33372 APAR about these messages. It's not included in II14459: Z/OS DFSMS 1.10 HDZ1A10 CURRENT PDSE MAINTENANCE.

Any APAR o maintenance recomended more for PDSE usage?

Regards


----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Lizette Koehler
2012-09-12 10:55:32 UTC
Permalink
What was running when this error occurred?

It looks like a security violation, what security product do you use? ACF2, TSS, RACF? Do you see any additional messages in SYSLOG for this failure? Any ICH408I, ACF or TSS messages?
Look in syslog around the IGW01001T and see if there is anything else.

I would probably open an SR with IBM on this issue if there are no additional messages for this failure.

Lizette
-----Original Message-----
Of Jorge Garcia
Sent: Wednesday, September 12, 2012 1:13 AM
Subject: Re: Conversion to PDSE
IGW01001T ABEND 913-00000038 IN MODULE ???????? AT OFFSET ????
IEB1130E A TERMINATING MESSAGE FROM PDSE PROCESSING APPEARS ABOVE --
DIAGNOSTIC INFORMATION IS X'28010001'
We find the OA33372 APAR about these messages. It's not included in II14459: Z/OS
DFSMS 1.10 HDZ1A10 CURRENT PDSE MAINTENANCE.
Any APAR o maintenance recomended more for PDSE usage?
Regards
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
retired mainframer
2012-09-12 16:28:23 UTC
Permalink
What does the conditional access list for the dataset look like?

:>: -----Original Message-----
:>: From: IBM Mainframe Discussion List [mailto:IBM-***@LISTSERV.UA.EDU] On
:>: Behalf Of Jorge Garcia
:>: Sent: Wednesday, September 12, 2012 1:01 AM
:>: To: IBM-***@LISTSERV.UA.EDU
:>: Subject: Conversion to PDSE
:>:
:>: Hello:
:>:
:>: Last week we've migrated some PDS to PDSE. Two weeks ago we've applied
:>: the ptfs in II14459: Z/OS DFSMS 1.10 HDZ1A10 CURRENT PDSE MAINTENANCE.
:>: After the migration is completed, the users notify us that the copys
:>: procedures between environments cancel with
:>: ICH418I CONDITIONAL ACCESS LIST FOR DATA SET dataset DID NOT GRANT
:>: AUTHORITY TO PROGRAM(S): IEBCOPY

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Jorge Garcia
2012-09-12 18:29:39 UTC
Permalink
Hello:

The messages are:

ICH418I CONDITIONAL ACCESS LIST FOR DATA SET APLTRA.INTPREP.LOAD DID NOT
GRANT AUTHORITY TO PROGRAM(S): IEBCOPY
ICH408I USER(CRIVEGA ) GROUP(GRIMPLAN) NAME(CRISTINA VEGA ) 260
APLTRA.INTPREP.LOAD CL(DATASET ) VOL(DESL03)
INSUFFICIENT ACCESS AUTHORITY
FROM APLTRA.INTPREP.** (G)
ACCESS INTENT(READ ) ACCESS ALLOWED(NONE )
IEC150I 913-38,IFG0194E,JCIDAUTO,PASO20,SYS00003,29E7,DESL03,APLTRA.INTP
REP.LOAD

With this access in RACF profile the job works fine:

INFORMATION FOR DATASET APLTRA.INTPREP.** (G)

LEVEL OWNER UNIVERSAL ACCESS WARNING ERASE
----- -------- ---------------- ------- -----
00 APLTRA NONE NO NO

ID ACCESS CLASS ENTITY NAME
-------- ------- -------- --------------------------

GRIMPLAN UPDATE PROGRAM IEBCOPY

Regards

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
R.S.
2012-09-12 20:56:31 UTC
Permalink
Wild guess: your environment is dirty.
I mean dirty environment in sense of RACF - any of the programs in the
address space is not RACF protected, that means is not covered by the
profile in PROGRAM class.

I would focus on ** profile (or *, single asterisk).
--
Radoslaw Skorupka
Lodz, Poland
Post by Jorge Garcia
ICH418I CONDITIONAL ACCESS LIST FOR DATA SET APLTRA.INTPREP.LOAD DID NOT
GRANT AUTHORITY TO PROGRAM(S): IEBCOPY
ICH408I USER(CRIVEGA ) GROUP(GRIMPLAN) NAME(CRISTINA VEGA ) 260
APLTRA.INTPREP.LOAD CL(DATASET ) VOL(DESL03)
INSUFFICIENT ACCESS AUTHORITY
FROM APLTRA.INTPREP.** (G)
ACCESS INTENT(READ ) ACCESS ALLOWED(NONE )
IEC150I 913-38,IFG0194E,JCIDAUTO,PASO20,SYS00003,29E7,DESL03,APLTRA.INTP
REP.LOAD
INFORMATION FOR DATASET APLTRA.INTPREP.** (G)
LEVEL OWNER UNIVERSAL ACCESS WARNING ERASE
----- -------- ---------------- ------- -----
00 APLTRA NONE NO NO
ID ACCESS CLASS ENTITY NAME
-------- ------- -------- --------------------------
GRIMPLAN UPDATE PROGRAM IEBCOPY
Regards
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
--
Treść tej wiadomości może zawierać informacje prawnie chronione Banku przeznaczone wyłącznie do użytku służbowego adresata. Odbiorcą może być jedynie jej adresat z wyłączeniem dostępu osób trzecich. Jeżeli nie jesteś adresatem niniejszej wiadomości lub pracownikiem upoważnionym do jej przekazania adresatowi, informujemy, że jej rozpowszechnianie, kopiowanie, rozprowadzanie lub inne działanie o podobnym charakterze jest prawnie zabronione i może być karalne. Jeżeli otrzymałeś tę wiadomość omyłkowo, prosimy niezwłocznie zawiadomić nadawcę wysyłając odpowiedź oraz trwale usunąć tę wiadomość włączając w to wszelkie jej kopie wydrukowane lub zapisane na dysku.

This e-mail may contain legally privileged information of the Bank and is intended solely for business use of the addressee. This e-mail may only be received by the addressee and may not be disclosed to any third parties. If you are not the intended addressee of this e-mail or the employee authorised to forward it to the addressee, be advised that any dissemination, copying, distribution or any other similar activity is legally prohibited and may be punishable. If you received this e-mail by mistake please advise the sender immediately by using the reply facility in your e-mail software and delete permanently this e-mail including any copies of it either printed or saved to hard drive.

BRE Bank SA, 00-950 Warszawa, ul. Senatorska 18, tel. +48 (22) 829 00 00, fax +48 (22) 829 00 33, www.brebank.pl, e-mail: ***@brebank.pl
Sąd Rejonowy dla m. st. Warszawy XII Wydział Gospodarczy Krajowego Rejestru Sądowego, nr rejestru przedsiębiorców KRS 0000025237, NIP: 526-021-50-88.
Według stanu na dzień 01.01.2012 r. kapitał zakładowy BRE Banku SA (w całości wpłacony) wynosi 168.410.984 złotych.


----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
retired mainframer
2012-09-12 22:08:37 UTC
Permalink
I'm confused. Under what conditions does the job fail?

Why do you have a conditional access for these datasets? What benefit do
you think it provides? It doesn't provide any additional security (though
it might prevent an accident). If any member of the group wants to update
the dataset other than with IEBCOPY, all they need do is copy the members
with IEBCOPY to an unrestricted dataset (e.g., userid.XX), make the updates,
and use IEBCOPY to replace any updated members.

:>: -----Original Message-----
:>: From: IBM Mainframe Discussion List [mailto:IBM-***@LISTSERV.UA.EDU] On
:>: Behalf Of Jorge Garcia
:>: Sent: Wednesday, September 12, 2012 11:30 AM
:>: To: IBM-***@LISTSERV.UA.EDU
:>: Subject: Re: Conversion to PDSE
:>:
:>: Hello:
:>:
:>: The messages are:
:>:
:>: ICH418I CONDITIONAL ACCESS LIST FOR DATA SET APLTRA.INTPREP.LOAD DID NOT
:>: GRANT AUTHORITY TO PROGRAM(S): IEBCOPY
:>: ICH408I USER(CRIVEGA ) GROUP(GRIMPLAN) NAME(CRISTINA VEGA ) 260
:>: APLTRA.INTPREP.LOAD CL(DATASET ) VOL(DESL03)
:>: INSUFFICIENT ACCESS AUTHORITY
:>: FROM APLTRA.INTPREP.** (G)
:>: ACCESS INTENT(READ ) ACCESS ALLOWED(NONE )
:>: IEC150I 913-38,IFG0194E,JCIDAUTO,PASO20,SYS00003,29E7,DESL03,APLTRA.INTP
:>: REP.LOAD
:>:
:>: With this access in RACF profile the job works fine:
:>:
:>: INFORMATION FOR DATASET APLTRA.INTPREP.** (G)
:>:
:>: LEVEL OWNER UNIVERSAL ACCESS WARNING ERASE
:>: ----- -------- ---------------- ------- -----
:>: 00 APLTRA NONE NO NO
:>:
:>: ID ACCESS CLASS ENTITY NAME
:>: -------- ------- -------- --------------------------
:>:
:>: GRIMPLAN UPDATE PROGRAM IEBCOPY

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Jorge Garcia
2012-09-13 06:28:42 UTC
Permalink
<<I'm confused. Under what conditions does the job fail?>>

The job fails if your don't have an UPDATE access in PROGRAM class to GRIMPLAN group ID in the RACF dataset profile APLTRA.INTPREP.**

<Why do you have a conditional access for these datasets?>

If the target dataset in IEBCOPY program is a PDSE your need the access above. If the target dataset is a PDS you can remove the access.

<<If any member of the group wants to update the dataset other than with IEBCOPY, all they need do is copy the members with IEBCOPY to an unrestricted dataset (e.g., userid.XX), make the updates, and use IEBCOPY to replace any updated members. >>

It's right. The PDSE target is a load library and it access is restricted to a procedure with a IEBCOPY program.

Regards

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Loading...