I get message $HASP690 COMMAND REJECTED - SOURCE OF COMMAND HAS IMPROPER AUTHORITY with JMON (JES Job Monitor) product.

Document ID : KB000025559
Last Modified Date : 14/02/2018
Show Technical Document Details

Problem:

Users of the JES Job Monitor (JMON) are unable to enter console commands. They get the message $HASP690 COMMAND REJECTED - SOURCE OF COMMAND HAS IMPROPER AUTHORITY. No violation shows up in the ACFRPTRV report.

Resolution:

The JMON console commands require that the user have access to the command via an OPERCMDS validation. If a SAFDEF record has not already been defined to override the default SAFDEF OPRCAUTH that ignores AUTH requests with this class, then the overriding SAFDEF should be defined now. Appropriate resource rules for the commands should also be written.

Authorization for the JMON console commands also requires that there be a USER OPERPARMS profile record defined for the user. That OPERPARMS record should specify AUTH=MASTER.

The overriding SAFDEF specific to JMON can be defined as follows:

SET C(GSO)
INSERT SAFDEF.JMON PROGRAM(BPXPTATT) MODE(GLOBAL) -
RACROUTE(REQUEST=AUTH,CLASS=OPERCMDS,SUBSYS=CONSOLE)

To activate the new SAFDEF, issue this command:

F ACF2,REFRESH(SAFDEF)

This new SAFDEF will require that you have rules for typical commands that could issued from this environment. For example, you would need a resource rule for MVS.MCSOPER.JMON. The rule would look similar to this:

$KEY(MVS.MCSOPER.JMON) TYPE(OPR) <-- This assumes there is a CLASMAP that maps OPERCMDS to OPR.
UID(*) ALLOW

The USER profile record for the OPERPARM segment could be defined as follows:

SET PROFILE(USER) DIV(OPERPARM)
INSERT user1 AUTH(MASTER) ROUTCODE(1-8,11) MFORM(TIME.SYSID)

The new profile record would be activated by issuing this command:

F ACF2, REBUILD(USR),CLASS(P)