IOFTech    Maintenance   Release8G       Newsletters    Doc    FAQ    Contact    Home

IOF Problem Resolution
Problem E02
Previous Next
Description IOF commands or functions are REFUSED on the IOF server.
 
Background IOF requires that the local site authorize all users access to all IOF commands and functions. Section 28 of the IOF Installation Guide describes various methods of granting access to various IOF resources to users. Access to the "AT" command to initiate a server session is controlled by the client IOF session on the system on which the the user is active. Once the server session is initiated, access to execute IOF functions and commands is controlled by the IOF on the server system.
 
Solution Authorize the user or group of users to execute the desired IOF function on the remote IOF version.

Use the "DVAR" or "WHO" command on the server session to determine the IOF GROUP to which the user is assigned on the server. Use the IOF TRACE facility on the server to trace server access control.


 

Information IOF maintains a large number of variables that control individual IOF sessions. These variables describe the current environment, system, user and session. The value of these variables can be useful in diagnosing IOF problems.

Enter the "DVAR" command from any IOF panel to display a menu of IOF variable categories like the one shown below.

---------- Display of Current Variable Values ---------
COMMAND ===>

1 SESSION environment attributes 2 SESSION environment attributes 2 3 SESSION environment attributes 3 4 SYSTEM environment attributes 5 JES2 Information 6 GROUP attributes defined for your IOF Group 7 GROUP attributes defined for your IOF Group 2 8 Misc attributes 9 Misc attributes 2 10 JAR Job Archival and Retrieval Attributes 11 SLAM System Log Access Management Attributes 12 RACF Security System Attributes 13 APPC Servers and Alias Names Listing 14 Sysids (and alias) with Printers Attached 15 Logical Console Usage Attributes 16 Logical Console Initial Commands

17 Print all variable values

Press the "ENTER" key repeatedly to see each set of variables. Or enter a menu number in the COMMAND area to display that specific list of variables.


 

Information The SERVER session can be traced using the same techniques as would be used to trace a CLIENT IOF session.

The IOF TRACE command is used to trace IOF access control processing. TRACE shows all ALLOW and LIMIT macros, and calls to the system security system (RACF, ACF2, TSS, etc).

TRACE output is written to a SYSOUT trace data set with DDNAME $IOFLOG$. Multiple TRACE commands can be issued on a single IOF session. Each TRACE sequence allocates a new $IOFLOG$ SYSOUT data set.

TRACE has several options. The most useful options are shown below.

Tracing Session Initialization.

The $IOFLOG$ trace data set is allocated. IOF group assignment is traced. The trace data shows why the user is assigned to a specific group, and why the user was not assigned to other groups. Eligible ALLOW and LIMIT macros are also listed. At trace completion, the trace is automatically disabled and the $IOFLOG$ sysout data set is browsed.

Syntax:

TRACE START

Tracing an IOF Command

IOF primary commands and line commands can be traced to determine exactly why access was either granted, or denied. Two TRACE commands are issued.

The first TRACE command allocates the $IOFLOG$ sysout data set and enables the function trace.

The second TRACE command disables the trace, frees the $IOFLOG$ data set, and browses the trace data set.

Each IOF ALLOW and LIMIT macro is shown in $IOFLOG$ along with a description of it's effect on the access control decision. Calls to the system security system are also traced. The resource name, class and return code from the security system are shown. This is normally sufficient information to show exactly why a command was permitted or denied.

It is recommended that only one or two commands be issued with the trace enabled. This makes interpreting the trace easier. To trace additional functions, enter multiple TRACE command pairs.

Syntax:

TRACE
...
one or more IOF primary or line commands
...
TRACE

Clist and Rexx Exec Tracing

A few IOF clist and Rexx execs can be traced. Enabling clist/exec tracing causes the detailed instructions to be listed on the screen.

Syntax:

TRACE EXEC
...
IOF command that invokes a clist or exec
...
TRACE EXECOFF
 
More Help Click here to EMAIL a problem report to IOF Technical Support for additional assistance.

 

Previous Next

Triangle Systems, Inc. PO Box 12752, Research Triangle Park, NC 27709
(919) 544-0090

IOFTech    Maintenance   Release8G       Newsletters    Doc    FAQ    Contact    Home

Thursday, 22-Jul-2021 11:38:14 EDT
 

bauth idvar itrace @@