I am using the HCD panels to activate a new hardware and software configuration, I get the error IOS500I "USER AUTHORIZATION COULD NOT BE DETERMINED". How can this error be addressed?

Document ID : KB000026478
Last Modified Date : 14/02/2018
Show Technical Document Details

Question:  

I am using the HCD panels to activate a new hardware and software configuration, I get the error IOS500I "USER AUTHORIZATION COULD NOT BE DETERMINED". How can this error be addressed?

Answer: 

The HCD request is returning the following complete message:
IOS500I ACTIVATE RESULTS TEST DETECTED CONDITIONS WHICH WOULD RESULT IN ACTIVATE FAILURE REASON=015B,USER AUTHORIZATION
COULD NOT BE DETERMINED DESCTEXT=RACROUTE RETURN CODE 00, REASON CODE 00000000 COMPID=SC1C3

The operating system (MVS) issues a security call (SAF call) to validate the command.

A RACROUTE REQUEST=AUTH CLASS=OPERCMDS command is issued for the HCD ACTIVATE command.

To determine the cause of the IOS500I error the first step is to check to see if OPERCMDS calls are being validated.
This can be done by using the TSO ACF command processor and getting into ACF mode (TSO ACF from any ISPF command line) and entering the following SHOW command:

SHOW SAFDEF

(Note: the SHOW command can be issued online or in batch using program ACFBATCH of IKJEFT01.

This will display all the active SAFDEF records. By default ACF2 provides a record to IGNORE OPERCMDS calls that looks like:

OPRCAUTH JOBNAME=********   USERID=********   PROGRAM=********   RB=********
         RETCODE=4          SAFDEF=INTERNAL   MODE=IGNORE        SUBSYS=ACF2
         FUNCRET=0          FUNCRSN=0
                                                                              
         RACROUTE REQUEST=AUTH,CLASS='OPERCMDS'

If the RACROUTE call is being validated (MODE=GLOBAL instead of IGNORE) there would be a similar record ahead of the default record that is MODE=IGNORE, something like:

xxxxxx   JOBNAME=********   USERID=********   PROGRAM=********   RB=********
         RETCODE=0          SAFDEF=GSO        MODE=GLOBAL        SUBSYS=****
         FUNCRET=0          FUNCRSN=0
                                                                             
         RACROUTE REQUEST=AUTH,CLASS='OPERCMDS'

where 'xxxxxxx' is whatever ID was assigned when the site defined record was INSERTed, or may be blank if no ID was assigned.

When SAFDEF records are set to IGNORE, then the return codes in the record usually specify 4 to indicate that security is not present. Many SAF calls that get return codes of 4 are allowed to proceed as if security is not installed. There are a few more critical calls that do NOT proceed, which is what happens when you issue the HCD ACTIVATE command.

If OPERCMDS is being validated, write a rule for resource MVS.ACTIVATE to allow the access.

If OPERCMDS is not being validated, insert the following SAFDEF record to IGNORE and allow the request with a return code of 0:

INSERT SAFDEF.hcd ID(hcd) MODE(IGNORE) RETCODE(0) FUNCRET(0)
   RACROUTE(REQUEST=AUTH,CLASS=OPERCMDS,SUBSYS=IOS,REQSTOR=IOS-)

where "hcd" is any 1-8 character identifier of your choice.

Additional Information:

For additional reference, this is documented in the CA ACF2 for z/OS Administrator Guide, Chapter 5, look for "HCD SAF Support."