I think I covered that, but obviously not well enough. If no called/loaded modules exist in the JOBLIB/STEPLIB, and all are in the LINKLIST, then that meets the requirement that all LOADs occur from authorized libraries. It doesn't matter if JOBLIB/STEPLIB are authorized or not.
I think he got away with it because one of the tests was run where all the sort modules were in the LINKLIST. He then ran it with the sort libraries also in the JOBLIB/STEPLIB concatenations that included an unauthorized library and that failed with a 306. It's all a question of where modules get loaded from. To be certain of things, I would need to see the concatenations and the APF library list at each run time. Chris Blaicher Principal Software Engineer, Software Development Syncsort Incorporated 50 Tice Boulevard, Woodcliff Lake, NJ 07677 P: 201-930-8260 | M: 512-627-3803 E: [email protected] -----Original Message----- From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf Of Robert Hahne Sent: Thursday, December 19, 2013 10:51 AM To: [email protected] Subject: Re: APF authorization and JOBLIB DD card Hello Chris , This is a very good explanation . But that still leaves OP's last question "If IDCAMS requires APF authorization for called modules, why does IDCAMS work when the JOBLIB is supposedly not authorized by introducing a non-authorized library to the JOBLIB? " I assume OP ran the job by APF authorizing the JOBLIBS first , and then tried another run by adding an unauthorized library to the JOBLIB concatenation . TIA , Bob > Date: Thu, 19 Dec 2013 00:58:00 +0000 > From: [email protected] > Subject: Re: APF authorization and JOBLIB DD card > To: [email protected] > > I will answer the APF questions, but I strongly suggest that you call > SyncSort Support in the morning if you continue to have ABEND 306 problems. > > The short answer is that any module loaded by an authorized program must come > from an authorized library. Loaded modules don't have to be authorized > (AC=1), they just have to come from an authorized library. Now it gets more > complicated. > > Most people think that all LINKLIST libraries are authorized, but that isn't > always true. If your site has LNKAUTH=APFTAB as a parm in IEASYSxx rather > than taking the default or specifying LNKAUTH=LNKLST, then only those > libraries that are in the APF table are considered authorized. > > JOBLIB and STEPLIB libraries are handled a little differently. They are > either all authorized or all not authorized. So, if you have a three library > concatenation and they are all authorized, life is good. If you add a > non-authorized library to then, then they are all considered un-authorized. > > When you ran an IDCAMS job with all modules used in the linklist, it was OK > because it didn't get any modules from JOBLIB. Your site must be taking the > default or specifying LNKAUTH=LNKLST. When you put the same libraries in the > JOBLIB concatenation, and any one of them isn't in the APF table, then all of > the JOBLIB libraries become un-authorized, even if the libraries are still in > the LINKLIST. Because the search is STEPLIB first, JOBLIB second (or first > if no STEPLIB) and then the LINKLIST and it found the module it wanted in the > JOBLIB and the JOBLIB concatenation was not authorized because one or more > libraries weren't, then you get the ABEND 306. > > Confused enough? > > Chris Blaicher > Principal Software Engineer, Software Development Syncsort > Incorporated > 50 Tice Boulevard, Woodcliff Lake, NJ 07677 > P: 201-930-8260 | M: 512-627-3803 > E: [email protected] > > > -----Original Message----- > From: IBM Mainframe Discussion List [mailto:[email protected]] > On Behalf Of Pommier, Rex > Sent: Wednesday, December 18, 2013 6:07 PM > To: [email protected] > Subject: APF authorization and JOBLIB DD card > > Hi list, > > I'm confused - again. I thought I knew how APF authorization works with > JOBLIB statements but apparently I don't. Here's the background. I'm > installing a new maintenance level of SyncSort. According to the SyncSort > manual, the only library that needs APF authorization is the SYNCAUTH library > which contains the Dynamic Storage Management modules. > > In addition, IDCAMS internally calls a SORT module by default when performing > a BuildIndeX function. > > Here's my scenario. I have batch jobs with JOBLIB statements in them. In > order to test my SyncSort upgrade, I have added the SYNCLINK and SYNCRENT > libraries to the JOBLIB concatenation. > > Where I'm hitting the problem is IDCAMS BIX function. When I run the IDCAMS > job with just the normal JOBLIB without the SyncSort libraries in it, the job > runs fine - presumably using the SyncSort currently in the LinkList. The > JOBLIB is not APF authorized because it has a mixture of authorized and not > authorized libraries in it. I add the new SyncSort libraries to the JOBLIB > and the IDCAMS fails with a S306-0C abend and message "CSV019I REQUESTED > MODULE SS14RC02 NOT ACCESSED, IS IN NON-APF LIBRARY/CONCATENATION". Module > SS14RC02 is linked AC=0 and is in the SYNCRENT library. I added all the > JOBLIB libraries to the APF list and the IDCAMS step runs fine. I then add a > non-APF authorized library to the JOBLIB and the IDCAMS step STILL runs fine! > > > Why is IDCAMS demanding that non-APF module SS14RC02 be loaded from an APF > authorized library? > > If IDCAMS requires APF authorization for called modules, why does IDCAMS work > when the JOBLIB is supposedly not authorized by introducing a non-authorized > library to the JOBLIB? > > TIA > > Rex ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
