When I try to activate a new IODF SYSPLEX wide I get message CBDG903I Insufficient authority to process the request.

Document ID : KB000044394
Last Modified Date : 14/02/2018
Show Technical Document Details

Problem:

Getting message "CBDG903I Insufficient authority to process the request" when trying to activate a new IODF
The message description states that the authorization is not sufficient for the request.

What authorizations are required?

 

Resolution:

A request against one or more systems of the active Sysplex has been issued, but the authorization is not
sufficient to process the request. 

The following authorizations must be defined within the OPERCMDS class:

o READ authority for MVS.DISPLAY.IOS resource in order to display the IOS configuration 
o UPDATE authority for the MVS.ACTIVATE resource in order to activate an I/O configuration  
   or to reply to an active WTOR message. 

The default SAFDEF for the OPERCMDS class is ignore with return code 4.
The IBM code is expecting a zero return code. Anything else is seen as a violation.

Therefore, you will need to activate OPERCMDS and write rules.

ACF
SET CONTROL(GSO)
INSERT SAFDEF.OPERCMDS ID(OPERCMDS) MODE(GLOBAL) RCAROUTE(REQUEST=AUTH,CLASS=OPERCMDS)
F ACF2,REFRESH(SAFDEF)
END

The default TYPE code  for OPERCMDS class is TYPE(SAF)
If you want to override this and use a different type you will need to add a clasmap as follows (in this example
we are mapping CLASS OPERCMDS to TYPE code OPR)

ACF
SET CONTROL(GSO)
INSERT CLASMAP.OPERCMDS RESOURCE(OPERCMDS) RSRCTYPE(OPR)
F ACF2,REFRESH(CLASMAP)
END

You can then write a resource rule to allow users access to these resources

for example:

$KEY(MVS) TYPE(OPR)
DISPLAY.IOS UID(allowed users uid) ALLOW SERVICE(READ)
ACTIVATE UID(allowed users uid) ALLOW SERVICE(UPDATE)