On 08/16/2017 11:18 AM, Elardus Engelbrecht wrote:
> Todd Burrell wrote:
>
>> I have 2 users and one can successfully execute the CONSOLE command while
>> running it in a started task and in batch, but the other user cannot. From
>> what I can tell they are both connected to the same RACF groups and both
>> should have all of the necessary access required to run the CONSOLE command
>> - but one fails with a RC 36 which indicates they are not authorized? Also,
>> there are no RACF error messages for the failing user - and nothing when I
>> ran RACFICE this morning in the violation report?
> You've got good replies, but please post the FULL command and all its
> keywords and also FULL message with the 'RC 36'.
>
>
>> ... while running it in a started task and in batch ...
> What do you mean there? Are these CONSOLE commands issued from these
> tasks/batch?
>
>
>> I seem to remember there is something else that might need to get changed in
>> TSO? Does anyone have anything else I can check?
> From where are the CONSOLE commands issued? If done from SDSF, for example,
> have them type in WHO and look for differences.
>
> Else, do you have automation software / exit which intercepts these commands?
>
> Groete / Greetings
> Elardus Engelbrecht
>
>
>
I seem to remember the CONSOLE command has a way to specify a logical
console name (optional NAME parameter on CONSOLE ACTIVATE), and if
unspecified the default was based on the RACF userid. CONSOLE ACTIVATE
of a console would fail if an attempt was made to activate a console
name that was already active somewhere in the system -- not a problem
when only used from TSO address spaces where only one address space is
running under the same RACF USERID, but a potential problem when you add
batch jobs with unique job names to the mix and let them use CONSOLE
from batch. I think we had to engineer unique console names in some way
and specify that on the "CONSOLE ACTIVATE" command when used from batch
to keep jobs that we cared about from having unpredictable failures from
conflicts with other concurrently running address spaces (TSO or
batch). Having authority for using CONSOLE is necessary but not
sufficient for success -- you must also avoid console name conflicts.
If two different address spaces running at the same time under the same
RACF USERID both potentially need to use the CONSOLE interface at the
same time, then one or both must explicitly assign a console name that
will be unique. If all other permissions look OK but the failure
persists for one user, be sure that user is not running his batch job
while holding an activated console session with the same console name
under his TSO session.
Joel C. Ewing
--
Joel C. Ewing, Bentonville, AR [email protected]
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
