RACF issues when running GOA REFRESH

Document ID : KB000122859
Last Modified Date : 22/01/2019
Show Technical Document Details
Question:
We decided to put Vantage Scripts under ENDEVOR control. In order to prevent updates outside of ENDEVOR 
we just assigned READ access to users and the Vantage started task. This results in the following violations
during REFRESH of the scripts:

ICH408I USER(SAMS ) GROUP(group) NAME(####################) 
   SAMS.SCRIPTS CL(DATASET ) VOL(volser) 
   INSUFFICIENT ACCESS AUTHORITY 
   FROM SMLD.SCRIPTS (G) 
   ACCESS INTENT(UPDATE ) ACCESS ALLOWED(READ ) 


Why does the Vantage started task needs UPDATE access to the script libraries?
Answer:
When scripts are refreshed, Vantage tries to update the PDS directory of the script 
library with internal information, which requires UPDATE access to the Data Set.
If the PDS directory can't be updated due to missing UPDATE access, it can't be 
garantueed, that the scripts will still work without any problem.

NOTE: in general we recommend to use the Scripts wizards from the windows or web client to create
or modify scripts, since these wizards check for valid syntax.

If ENDEVOR control should be used you might consider one of the following options:

1) Use the Vantage script wizards to maintain scripts and use message automation scripts for messages 
VAN1577I UserId: %8S Changed Script Member: %8S in Dsn: %44S 
VAN1578I UserId: %8S Deleted Script Member: %8S in Dsn: %44S 

to submit ENDEVOR batch jobs to add/update scripts using the Vantage script library as source data set
or to delete scripts in ENDEVOR. 

For example for creation or modification of scripts use the following message automation script for message VAN1577I:

<GENERAL> 
EVENT_TYPE=CONMSG 
TITLE=ADD/UPDATE scripts in Endevor 
DESCRIPTION1=ADD/UPDATE scripts in Endevor to track changes 
ENABLED=Y 
LOAD_SCRIPT=Y 
STARTTIME=0000 
ENDTIME=2400 
MAX_EXECUTE=9999 
ACC_FLAG=Y 
ENDTIMEACTION=EXECUTE 
MAX_COUNT=1 
SHUTDOWNACTION=DISCARD 
SET_FILTER=MCNTXT INCL VAN1577I/ 
<EVENT_PROCEDURE> 
SUBSTITUTE_JCL=DSN=GERCAI.VANT.CNTL,MEMBER=NDVRADD,STRIP=B 
SUBMIT_JOB 


This script submits job NDVRADD and uses substitution variables to set the Element name, Type and comment,
containing the Userid form the User who updated or created the script:

//ADDELEM EXEC PGM=NDVRC1,REGION=4096K,DYNAMNBR=1500, 
// PARM='C1BM3000' 
//STEPLIB DD DISP=SHR,DSN=your.CSIQAUTU 
// DD DISP=SHR,DSN=your.CSIQAUTH 
//CONLIB DD DISP=SHR,DSN=your.CSIQLOAD 
//C1MSGS1 DD SYSOUT=* 
//C1MSGS2 DD SYSOUT=* 
//SYSUDUMP DD SYSOUT=* 
//GOA DD DISP=SHR,DSN=%%MCNTXT:10%% 
//SYMDUMP DD DUMMY 
//SYSOUT DD SYSOUT=* 
//BSTIPT01 DD * 
SET FROM DDN GOA . 
SET OPTIONS OVE UPD CCID VANTSCR COMMENT 'ADD/UPDATE BY %%MCNTXT:3%%' 

SET TO ENV 'ENV1' 
SYS 'SYSTEM' 
SUB 'VANT' 
TYP '%%MCNTXT:10(12,7)%%' . 
ADD ELEMENT %%MCNTXT:7%% . 



In the above example the TYPE is identical to the LLQ of the script library.
The script library used is GERCAI.VANT.AUTOSCR and the LLQ from the message is extracted
using TYP '%%MCNTXT:10(12,7)%%' resulting in TYPE AUTOSCR.. 


2) EDIT the Scripts in ENDEVOR, but don't use the BASE library in Vantage to prevent the ENDEVOR Footprint from being overwritten.
Create a GENERATE processor, which copies the Scripts to the Vantage script library, which is not under ENDEVOR control.
Allow UPDATE access for the Vantage STC user to this library, so it can update the PDS directory with the internal Vantage information.
Grant READ access only to all Vantage users, so that the scripts can't be modified manually outside of ENDEVOR. 

NOTE: SECURSCR(Y) will not work in this case, since Vantage is not aware of the user, that has created the script.