How do I address the violation message ACF04056 ACCESS TO RESOURCE SYSREXX.AXRUSER TYPE RSUR BY AXRUSER NOT AUTHORIZED that occur doing an IPL?

Document ID : KB000003930
Last Modified Date : 14/02/2018
Show Technical Document Details
Issue:

During the IPL of my z/OS system I get the following ACF2 messages:

ACF04056 ACCESS TO RESOURCE SYSREXX.AXRUSER TYPE RSUR BY AXRUSER NOT AUTHORIZED

IEF196I ACF04056 ACCESS TO RESOURCE SYSREXX.AXRUSER TYPE RSUR BY

IEF196I AXRUSER NOT AUTHORIZED

AXR0111I AXRUSER VALUE OF AXRUSER IS REJECTED BY RACROUTE REQUEST=AUTH.

RACROUTE (SAF) RETCODE= 8, RACF RETCODE= 8, RACF RSNCODE= 0.

 

ANY SUBSEQUENT USE OF AXRUSER WILL BE REJECTED.

Resolution:

SYSREXX is the z/OS component that lets you execute REXX execs outside of the TSO/E environment. It's started task is AXR.

The SYSREXX documentation includes these RACF statements:

RDEFINE SURROGAT SYSREXX.AXRUSER UACC(NONE)

SETROPTS GENERIC (SURROGAT) REFRESH (<userid>)

PERMIT SYSREXX.AXRUSER CL(SURROGAT) ACCESS(ALTER) ID(<userid>)

 

The ACF2 equivalent statements are:

ACF

SET RESOURCE(SUR)

$KEY(SYSREXX) TYPE(SUR)

AXRUSER UID(UID string for userid) SERVICE(ADD) ALLOW

 

Alternatively, the rule key can be defined to include the entire resource name:

$KEY(SYSREXX.AXRUSER) TYPE(SUR)

UID(UID string for userid) SERVICE(ADD) ALLOW

 

(The inclusion of the SERVICE keyword is optional.)

The SUR resource type must be resident so ensure R-RSUR is in your INFODIR record.

Issue the SHOW RESIDENT command. If RSUR is not displayed in the output, enter these ACF commands to add it:

SET CONTROL(GSO)

CHANGE INFODIR TYPES(R-RSUR) ADD

F ACF2,REFRESH(INFODIR)

 

To activate the new rule:

 

F ACF2,REBUILD(SUR)