CA OPSMVS: DB2 oper commands failure DSN9016I COMMAND REJECTED, UNAUTHORIZED REQUEST

Document ID : KB000103228
Last Modified Date : 12/02/2019
Show Technical Document Details
Issue:
In CA OPS/MVS, as part of an automation process or a rule,  it is possible to issue commands using OPSOSF address spaces as servers that handle asynchronous action requests. It could be something looking like the following: 

ADDRESS OPER                                         
 "-STOP DDF MODE(FORCE)"                   
 "-STOP DB2"                     
 "P OAM"                         
 

It can happen that the above STOP command related to DB2 task gets the following error: 

DSN9016I COMMAND REJECTED, UNAUTHORIZED REQUEST
OPS1181H OPSOSF OPSS (*Local*) MVS N/A DB2STOP -STOP DB2

How to determine what OPSMVS ACID or userid should be defined and authorized in DB2 for these command? 
Environment:
Z/OS - OPSMVS - DB2 
Resolution:
In order to correctly execute  DB2 oper commands from within an automation process executed via OPSOSF Service tasks, it is necessary that the userid of the OPSOSF Server is authorized in DB2 to issue these oper commands (in this case the STOP command).
The userid can be determined by browsing the OPSLOG and checking the value of the column "User ID" of the CMD event.
One way to show these fields in OPSLOG is by issuing the command D EVN USERID. Sample output:

OPSLOG Browse XEXX     XEXX OPSLOG  
Command ===>  D EVN USERID                      
Evn User ID  ----+----1----+----2---
CMD OPSOSF   -STOP DB2  
           

In the above example, the userid is OPSOSF.
The required RACF definitions would then be:

RDEF DSNADM DB2.SYSOPR UACC(NONE) OWNER(DB2) 
RALT DSNADM DB2.SYSOPR AUDIT(FAILURES(READ)) 
PE DB2.SYSOPR CLASS(DSNADM) ID(OPSOSF) ACCESS(READ) 
Additional Information:
See the documents below regarding this subject for CA Top Secret and ACF2.

ACF2:

https://comm.support.ca.com/kb/dsn9016i-when-trying-to-issue-db2-operator-command-at-console/kb000019065

TSS:

https://comm.support.ca.com/kb/the-db2-stop-command-issued-from-the-master-console-will-produce-the-following-error-messages-dsn9016i-and-dsn9023i/kb000046271