Yes, your BC1TNEQU table's FUNCEQU section is missing the package actions permission mapping and the package action NAMEQU section is not defined at all. With these you can control which users have access to perform package actions at the various stages of the package life cycle.
The "***** SELECTION" (usually "**** SELECTION") messages stem from a user trying to perform a package action that (1) they're not allowed (i.e. a non-approver trying to REVIEW a package) or (2) trying to perform an **** package action (i.e. CREATE/MODIFY against a package which is already CAST).
Here is a sample but without the matching TSS, ACF2, or RACF security rules (which I don't have) this is hard to understand. Work with your security administrator to find & review the existing rules for your environment, foreground, primary, and action rules and model from that.
One final observation is you should consider bumping up the LATSIZE from 0 to 2. It'll help with performance.
FUNCEQU SAFAUTH=READ, +
C1ACTNS=(DISPLAY,RETRIEVE,SIGNIN, +
PCAST,PCOMMIT,PCREATE,PDISPLAY, +
PEXECUTE,PLIST,PMODIFY,PREVIEW, +
PUTILITY,PSHIP)
FUNCEQU SAFAUTH=UPDATE, +
C1ACTNS=(ADD,UPDATE,GENERATE,SIGNOVR)
FUNCEQU SAFAUTH=CONTROL, +
C1ACTNS=(MOVE,ARCHIVE,DELETE)
FUNCEQU SAFAUTH=ALTER, +
C1ACTNS=(ENVRNMGR,ALTER)
NAMEQU PACKAGE_ACTIONS, +
CLASS='DATASET', +
LOG=ASIS, +
L1=('C1'), +
L2=('PACKAGE'), +
L3=(MENUITEM), +
L4=(PKGSUBFC), +
L5=(PKGSTAT)
Original Message:
Sent: 10-30-2021 12:52 PM
From: Praveen Chandran
Subject: Endevor Execute Authority Issue
Hi All,
I need guidance and direction on issue that, who has the authority to update an element and create a package but not in part of the Package Approval group can't able to Execute / Reset or delete a package. While attempting to enter the panel getting an error as "**** SELECTION".
Looking at the BC1TNEQU member (Name Equates Table) that dictates what dataset rules will give access to what resources, think we might missing some actions/rules related to package processing.
Here's what we have in BC1TNEQU:
TITLE 'BC1TNEQU - EXTERNAL SECURITY INTERFACE TABLE.'
***********************************************************************
* DEFINE ESI DEFAULTS. *
***********************************************************************
BC1TNEQU ESIDFLTS WARN=NO, NORMAL EXECUTION MODE X
HEADER=NONE, PRINT TABLE IN TRACE X
LATSIZE=0 8K (2*4K) LOOK ASIDE TABLE
***********************************************************************
* MAP E/MVS AUTHORITIES TO SAF AUTHORITIES *
***********************************************************************
FUNCEQU SAFAUTH=READ, X
C1ACTNS=(DISPLAY,RETRIEVE,SIGNIN,ADD,UPDATE,GENERATE, X
MOVE,SIGNOVR,ARCHIVE,DELETE,ENVRNMGR)
FUNCEQU SAFAUTH=ALTER, X
C1ACTNS=(ALTER)
FUNCEQU TYPE=END
SPACE 2
***********************************************************************
* SPECIFY SAF DATASET NAME FORMATS *
***********************************************************************
NAMEQU ENVIRONMENT_ACCESS, X
L1=('C1'), X
L2=('ENVIRON'), X
L3=(ENVIRONMENT)
NAMEQU PRIMARY_OPTIONS, X
L1=('C1'), X
L2=(ENVIRONMENT), X
L3=('PMENU'), X
L4=(MENUITEM)
NAMEQU FOREGROUND_OPTIONS, X
L1=('C1'), X
L2=(ENVIRONMENT), X
L3=('FORACTN'), X
L4=(MENUITEM)
NAMEQU ACTION_INITIATION, X
L1=('C1'), X
L2=(ENVIRONMENT), X
L3=(SYSTEM), X
L4=(SUBSYSTEM), X
L5=(ACTION)
NAMEQU TYPE=END
END
According to this Broadcom article, we should have PEXECUTE action in the FUNCEQU C1ACTNS section, and possibly a NAMEQU PACKAGE_ACTIONS set as well as ACTION_INITIATION, PRIMARY_OPTIONS, etc. but we don't so it must be taking some kind of default that they don't explain very well.
I like to identify who has authority to execute packages based on the definitions above, and what is the easiest way to grant execute authority.
Kind Regards,
Praveen R.