RACF message ICH408I: an explanation with example
The first line of message ICH408I identifies a user who had an authorization problem. The other lines of the message describe the request the user was issuing and the reason for the failure.
ICH408I USER(JONES ) GROUP(DEPT60 ) NAME(M.M.JONES ) ICH408I FLA32 CL(FCICSFCT) ICH408I INSUFFICIENT ACCESS AUTHORITY ICH408I FROM F%A* (G) ICH408I ACCESS INTENT(UPDATE) ACCESS ALLOWED(READ)
User JONES, a member of group DEPT60, whose name is M.M.JONES, had INSUFFICIENT ACCESS AUTHORITY to resource FLA32, which is in class FCICSFCT.
The RACF® profile protecting the resource is F%A*.
(G)indicates that F%A* is a generic profile.The access attempted by user JONES was UPDATE, but the access allowed by RACF was READ. Therefore, user JONES was denied access.
DFHXS1111 26/09/95 15:34:01 CICSSYS1 Security violation by user JONES at netname D2D1 for resource FLA32 in class TCICSTRN. SAF codes are (X'00000008',X'00000000'). ESM codes are (X'00000008',X'00000000').
The SAF and ESM codes come from RACROUTE REQUEST=AUTH.
In this profile, user JONES has an explicit entry in the access list. If the userid itself does not appear in the access list, check for one of JONES's connect groups. To list the groups to which JONES is connected, issue LISTUSER JONES Other specifications in the profile (such as security level or security category) might cause access to be denied. For a complete description, see the z/OS Security Server RACF Security Administrator's Guide.
Related information
For a complete description of RACF message ICH408I, see z/OS Security Server RACF Messages and Codes.