ICH408I for Tape Date Sets running IDCAMS REPRO MERGECAT

Document ID : KB000125500
Last Modified Date : 31/01/2019
Show Technical Document Details
Issue:
IDCAMS REPRO MERGECAT fails with the following security violations for migrated data sets and for data sets on tape volumes:

ICH408I USER(userid ) GROUP(group ) NAME(user name  ) 
   HLQ.data.set.name CL(DATASET ) VOL(MIGRAT)
   INSUFFICIENT ACCESS AUTHORITY
   FROM HLQ.** (G)
   ACCESS INTENT(ALTER  )  ACCESS ALLOWED(READ   )
ICH408I USER(userid ) GROUP(group ) NAME(user name  ) 
   HLQ.data.set.name CL(DATASET )  VOL(tape00)
   INSUFFICIENT ACCESS AUTHORITY
   FROM HLQ.** (G)
   ACCESS INTENT(ALTER  )  ACCESS ALLOWED(READ   )



The Userid running MERGECAT has ALTER ACCESS to the Catalogs and READ ACCESS to the Data Sets being merged.
This works for Data Sets on DASD, but fails for Tape Data Sets or migrated Data Sets.
Resolution:
This problem is caused by the CA 1 Catalog Interface. It is addressed by CA Common Tape (CM-$F) Problem 298. APAR ST07062 is available and can be requested from Support. The published PTF will be available soon. Following details for APAR ST07062:

Title: CORRECT SECURITY CALL DURING A MERGECAT OPERATION 

PROBLEM DESCRIPTION:                                                        
For CA 1 clients when OCEOV is set to YES and an attempt is made to perform 
a REPRO MERGECAT operation, without access to the data set names being      
merged, it will fail with a security violation.                             
                                                                            
SYMPTOMS:                                                                   
A security-violation on an individual file will prevent the IDCAMS procedure
from ending correctly.                                                      
                                                                            
IMPACT:                                                                     
Cannot perform the MERGECAT operation.                                      
                                                                            
CIRCUMVENTION:                                                              
A circumvention would be to disable the CA 1 check at OPEN and enable the   
same call from OPEN itself. This can be done by changing OCEOV to NO in the 
TMOOPTxx member of CA 1 options and setting the TAPEAUTHDSN=YES option in   
DEVSUPxx member of SYS1.PARMLIB instead.