What to Do When an "Authorization Failed" Message is Received

Document ID : KB000031325
Last Modified Date : 14/02/2018
Show Technical Document Details

In CA View, there could be times when an "Authorization Failed" message will appear. Below are conditions when it could occur, with a corresponding solution:

 . For situation analysis, for a short time set SARINIT FEATURE=1, for security diagnostics.

   If an "Authorization Failed" message appears, you will see the following diagnostic messages:

     SARATH92 AUTHORIZATION FAILED userid UNDER interface RC=xx.xx.xx  
     SARATH92 CLASS=class    ENTITY=resource entity                    
                                                                  
     Reason:  Userid is not authorized to access the requested resource
                    for the specified CLASS and ENTITY value.  

     Action:    Consult with your security administrator or systems programming 
                    group to determine the reason why the authorization was not granted.



 . An "Authorization Failed" message can appear in the following instances, when attempting to browse reports in CA View:

   . If there is a customized SARSECUX exit in use:

     . Review the coding of the exit, as a modified exit may be keeping the security from working properly.

 


   . If there was a change in a user's security profile:

     . Review the profile, to determine the nature of the change that lost any security access.



   . If, in external security, the resource class CHA1VIEW is not raclisted.

   . If there are specific external security rules in use:

     . Review the SARINIT parms SECID=... and SECURITY=.... 

       If SECURITY=EXTERNAL, then SECID=... is the first node of the security rules that are in use for the database.

       The following View native security rules can be used for browsing reports:                      

         secid.REPT.*                                                          
         secid.VIEW.000.* or secid.VIEW.*                                      
         secid.RAPS

       Review rules similar to the above, to make sure that they have been entered correctly.

   . It could be that the user does not have the proper level of access.  Even with a report browse, a user is making an update to the database.



   . If received when using ROSCOE and RACF:

     . See if the failure can be repeated when accessing the same report through TSO. 
 
       If the failure is repeated, it could be due to a modified SARUSRUX exit.  Review the coding of the exit.



   . If CA Deliver is used, it may be due to a Report Definition, with Distribution IDs with setting of "Y" for Rview. 

     The "Y" setting indicates a user has restrictedviewing privileges. A setting of "N" will lift the restriction.



   . If basic SARINIT security settings are used (SECLIST=NONE in particular), there is no enhancement to performance using FASTAUTH security calls.

     The SARINIT setting for FASTAUTH calls is FEATURE=4, so it may be advised to remove 4 from the SARINIT FEATURE settings.