I am using the HCD panels to activate a new hardware and software configuration, I get the error IOS500I "USER AUTHORIZATION COULD NOT BE DETERMINED". How can this error be addressed?
The HCD request is returning the following complete message:
IOS500I ACTIVATE RESULTS TEST DETECTED CONDITIONS WHICH WOULD RESULT IN ACTIVATE FAILURE REASON=015B,USER AUTHORIZATION
COULD NOT BE DETERMINED DESCTEXT=RACROUTE RETURN CODE 00, REASON CODE 00000000 COMPID=SC1C3
The operating system (MVS) issues a security call (SAF call) to validate the command.
A RACROUTE REQUEST=AUTH CLASS=OPERCMDS command is issued for the HCD ACTIVATE command.
To determine the cause of the IOS500I error the first step is to check to see if OPERCMDS calls are being validated.
This can be done by using the TSO ACF command processor and getting into ACF mode (TSO ACF from any ISPF command line) and entering the following SHOW command:
(Note: the SHOW command can be issued online or in batch using program ACFBATCH of IKJEFT01.
This will display all the active SAFDEF records. By default ACF2 provides a record to IGNORE OPERCMDS calls that looks like:
OPRCAUTH JOBNAME=******** USERID=******** PROGRAM=******** RB=********
RETCODE=4 SAFDEF=INTERNAL MODE=IGNORE SUBSYS=ACF2
If the RACROUTE call is being validated (MODE=GLOBAL instead of IGNORE) there would be a similar record ahead of the default record that is MODE=IGNORE, something like:
xxxxxx JOBNAME=******** USERID=******** PROGRAM=******** RB=********
RETCODE=0 SAFDEF=GSO MODE=GLOBAL SUBSYS=****
where 'xxxxxxx' is whatever ID was assigned when the site defined record was INSERTed, or may be blank if no ID was assigned.
When SAFDEF records are set to IGNORE, then the return codes in the record usually specify 4 to indicate that security is not present. Many SAF calls that get return codes of 4 are allowed to proceed as if security is not installed. There are a few more critical calls that do NOT proceed, which is what happens when you issue the HCD ACTIVATE command.
If OPERCMDS is being validated, write a rule for resource MVS.ACTIVATE to allow the access.
If OPERCMDS is not being validated, insert the following SAFDEF record to IGNORE and allow the request with a return code of 0:
INSERT SAFDEF.hcd ID(hcd) MODE(IGNORE) RETCODE(0) FUNCRET(0)
where "hcd" is any 1-8 character identifier of your choice.
For additional reference, this is documented in the CA ACF2 for z/OS Administrator Guide, Chapter 5, look for "HCD SAF Support."