Executing a strategy that abends and then requires restart processing fails with the following message:
UID AAAAAAAA IS NOT AUTHORIZED TO CHANGE AUTHID TO BBBBBBBB
BPA0013E: COMMAND CANCELLED BY USER SECURITY EXIT: EXIT01
The BPA0013E message is caused by the following change:
With R14 and onwards, there was a change to the default behaviour of the
Batch Processor EXIT01 processing. Prior to R14, the default behaviour was
to allow any user to use the .AUTH command to switch to another id.
From R14 onwards, the default EXIT01 behaviour is to not allow a user to
use the .AUTH to switch to another id UNLESS the relevant security
definitions are in place in the clients external security (RACF/ACF2/TSS).
To use the default supplied EXIT01 (in hilvl.CDBASRC), which is linked into BPLSEC (in hilvl.CDBALOAD),
you will also need to add the external security definitions.
(see Implementation Guide, Chapter 5 - Executing Product Specific Customization Tasks,
section Value Pack Product Customization, sub-section How To Use The Delivered Security Exits)
You will also want to review TEC553160 for security examples to permit the
.AUTH command in your security setup.
The .AUTH command that is being processed is the result of the .RESTART that
is being done. Batch Processor (RBP) will generate an implicit .AUTH
command on a restart if the current user is not the user who originally
submitted the job. This is to have the restart execute under the authority
of the original submitter, and requires that the submitter of the restarted
job have authorization for executing .AUTH commands.
Solutions for this message include;
- Original user submits the .RESTART processing
- Customer to allow re-submitting user the ability to use .AUTH commands
via the RBP security exit
- Use RESTART OVERRIDE as the analysis can be rerun from the start
- Using the BPID (from the .CONTROL statement) update the PTI.BPLOG_0203
table changing the BPLOG_USERID to the resubmitting user-id.
- The BATPROC parmlib member can be updated to specify AUTHERR (WARN)
which will cause a BPA0164W warning message to be issued, but new
submitter will be able to execute the restart.
This will only work if the RBP Security exit EXIT01 returns an 8 return
code, which is the default as provided by CA.