BPA0013E: COMMAND CANCELLED BY USER SECURITY EXIT: EXIT01

Document ID : KB000047939
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

Executing a strategy that abends and then requires restart processing fails with the following message:


 	UID AAAAAAAA IS NOT AUTHORIZED TO CHANGE AUTHID TO BBBBBBBB 	
 	BPA0013E: COMMAND CANCELLED BY USER SECURITY EXIT: EXIT01

Solution:

The BPA0013E message is caused by the following change:
With R14 and onwards, there was a change to the default behaviour of the Batch Processor EXIT01 processing. Prior to R14, the default behaviour was to allow any user to use the .AUTH command to switch to another id.

From R14 onwards, the default EXIT01 behaviour is to not allow a user to use the .AUTH to switch to another id UNLESS the relevant security definitions are in place in the clients external security (RACF/ACF2/TSS).

To use the default supplied EXIT01 (in hilvl.CDBASRC), which is linked into BPLSEC (in hilvl.CDBALOAD), you will also need to add the external security definitions.

(see Implementation Guide, Chapter 5 - Executing Product Specific Customization Tasks, section Value Pack Product Customization, sub-section How To Use The Delivered Security Exits)

You will also want to review TEC553160 for security examples to permit the .AUTH command in your security setup.

The .AUTH command that is being processed is the result of the .RESTART that is being done. Batch Processor (RBP) will generate an implicit .AUTH command on a restart if the current user is not the user who originally submitted the job. This is to have the restart execute under the authority of the original submitter, and requires that the submitter of the restarted job have authorization for executing .AUTH commands.

Solutions for this message include;

  • Original user submits the .RESTART processing

  • Customer to allow re-submitting user the ability to use .AUTH commands via the RBP security exit

  • Use RESTART OVERRIDE as the analysis can be rerun from the start

  • Using the BPID (from the .CONTROL statement) update the PTI.BPLOG_0203
    table changing the BPLOG_USERID to the resubmitting user-id.

  • The BATPROC parmlib member can be updated to specify AUTHERR (WARN)
    which will cause a BPA0164W warning message to be issued, but new submitter will be able to execute the restart.
    This will only work if the RBP Security exit EXIT01 returns an 8 return code, which is the default as provided by CA.