HPE Community
Operating System - OpenVMS
1827836 Members
1988 Online
109969 Solutions
New Discussion

Re: Insufficient privileges to submit a batch job for a new user

 
SOLVED
Go to solution
Cindy Lomas
Occasional Advisor

‎03-11-2004 05:18 AM

‎03-11-2004 05:18 AM

Insufficient privileges to submit a batch job for a new user

I created a new user using Authorize. I copied an existing user who had similar privileges etc. and assigned a new UIC, password, device, directory and lgicmd to the new user.

When I submit a batch job from the new user account, I get %RMS-E-PRV, insufficient privilege or file protection violation. No log file is created.

I had this problem with another user that I created but I assigned it a different UIC and now it's working.

What am I missing?

Thanks,
Cindy
0 Kudos
Reply
13 REPLIES 13
labadie_1
Honored Contributor

‎03-11-2004 05:21 AM

‎03-11-2004 05:21 AM

Re: Insufficient privileges to submit a batch job for a new user

the message say this user can't access the batch file.

I think

$ dir /sec com-fil
will show that this file and the user have not "enough" in common

can you post it, and
$ mc authorize sh failing_user
to see the uic, privileges and login directory
0 Kudos
Reply
Cindy Lomas
Occasional Advisor

‎03-11-2004 05:31 AM

‎03-11-2004 05:31 AM

Re: Insufficient privileges to submit a batch job for a new user

As requested, here is the user's information.

Username: ORA_USER_MKT Owner: ORACLE Conversion
Account: DEVELOP UIC: [100,54] ([DEVELOP,ORA_USER_MKT])
CLI: DCL Tables: DCLTABLES
Default: DKB100:[ORA_CONV]
LGICMD: SYS$LOGIN:LOGIN.COM
Flags:
Primary days: Mon Tue Wed Thu Fri
Secondary days: Sat Sun
No access restrictions
Expiration: (none) Pwdminimum: 6 Login Fails: 0
Pwdlifetime: (none) Pwdchange: 11-MAR-2004 12:58
Last Login: 11-MAR-2004 13:23 (interactive), (none) (non-interactive)
Maxjobs: 0 Fillm: 100 Bytlm: 64000
Maxacctjobs: 0 Shrfillm: 0 Pbytlm: 0
Maxdetach: 0 BIOlm: 150 JTquota: 4096
Prclm: 8 DIOlm: 150 WSdef: 2000
Prio: 4 ASTlm: 250 WSquo: 4000
Queprio: 0 TQElm: 10 WSextent: 16384
CPU: (none) Enqlm: 2000 Pgflquo: 50000
Authorized Privileges:
GRPNAM NETMBX TMPMBX
Default Privileges:
GRPNAM NETMBX TMPMBX
0 Kudos
Reply
labadie_1
Honored Contributor

‎03-11-2004 05:34 AM

‎03-11-2004 05:34 AM

Solution

Re: Insufficient privileges to submit a batch job for a new user

so this user uic is 100,54

dir:sec of the com-file that he can't submit in batch gives what ?
Reply
Uwe Zessin
Honored Contributor

‎03-11-2004 05:39 AM

‎03-11-2004 05:39 AM

Re: Insufficient privileges to submit a batch job for a new user

Cindy,
please check the ownership of DKB100:[000000]ORA_CONV.DIR;1 - it sounds like this directory is not owned by ORA_USER_MKT.

You can check this with:
$ directory/security DKB100:[000000]ORA_CONV.DIR

The correction, usually, is:
$ set FILE/OWNER=[ORA_USER_MKT] DKB100:[000000]ORA_CONV.DIR;1
$ set FILE/PROTECTION=(O:RWE) DKB100:[000000]ORA_CONV.DIR;1

The same should be applied to DKB100:[ORA_CONV]*.* and all files below that directory.

(I just can make myself comfortable with '$ SET SECURITY' for such an easy mission ;-)
.
Reply
Cindy Lomas
Occasional Advisor

‎03-11-2004 05:47 AM

‎03-11-2004 05:47 AM

Re: Insufficient privileges to submit a batch job for a new user

Thank you very much. Your questions lead me to find the solution. The LOGIN.COM had

SET PROTECTION= (S:WRED,O:WRED,G:WRED,W:RE)/DEFAULT

When I removed this, the command procedure ran successfully. I guess the default protection wasn't enough to allow the user to write to the current directory.

Cindy
0 Kudos
Reply
Uwe Zessin
Honored Contributor

‎03-11-2004 06:09 AM

‎03-11-2004 06:09 AM

Re: Insufficient privileges to submit a batch job for a new user

Cindy,

are you sure you have not changed anything else? That command sets the default protection for files created by the current process. The ability to create files in a directory depends on:

- the current UIC of the process
- UIC-ownership and access control list of the directory
where the file is going to be created
- UIC-ownership, access control list and version numers,
if there is at least one file with the same name.
- the privileges of the current process
I see than ORA_USER_MKT does not hold any file-related ones
- anything else I have forgotten;-)

Do you still have an old DIRECTORY/SECURITY from the directory so we can take a look at it together?
.
0 Kudos
Reply
Willem Grooters
Honored Contributor

‎03-11-2004 06:56 PM

‎03-11-2004 06:56 PM

Re: Insufficient privileges to submit a batch job for a new user

Cindy,

This user should have read+write+execute access on DKB100:[ORA_CONV], meaning DKB100:[000000]ORA_CONV.DIR should have at least W:WRE. Depending who is the owner:

Owner = ORA_CONV: prot=O:RWE, G:RE, W:
Owner = ORA group, prot = O:RWE, G:RWE, W:
Owner = other: prot= W:RWE.

Write access s required for writing a logfile. Not really reequired if you specify a
You also specified "SYS$LOGIN:LOGIN'COM" in authorize - you can safely remove this - it's the default. Anyway, be careful using logical names and concealed devices in specifications like these: all should be defined /SYSTEM (never tried /GROUP for these, might be usable as well). SYS$LOGIN is a process logical, but probably can be used safely in this context (is setup by the system) but other /PROCESS won't - are setup by LGICMD - just specified here...
Willem Grooters
OpenVMS Developer & System Manager
0 Kudos
Reply
Willem Grooters
Honored Contributor

‎03-11-2004 07:01 PM

‎03-11-2004 07:01 PM

Re: Insufficient privileges to submit a batch job for a new user

Sorry, Missed out part...

Write access s required for writing a logfile. Not really reequired if you specify a logfile on another location (/LOG=). Don't forget the user should have WRITE access to that location.
Willem Grooters
OpenVMS Developer & System Manager
0 Kudos
Reply
Uwe Zessin
Honored Contributor

‎03-11-2004 08:26 PM

‎03-11-2004 08:26 PM

Re: Insufficient privileges to submit a batch job for a new user

SYS$LOGIN and SYS$LOGIN_DEVICE are in the job logical name table on my systems.
.
0 Kudos
Reply
Jan van den Ende
Honored Contributor

‎03-11-2004 08:53 PM

‎03-11-2004 08:53 PM

Re: Insufficient privileges to submit a batch job for a new user

Willem, Uwe,

logfile spec is evaluated at SUBMIT time, so really the table in which defined is not THAT important, as long as any logical name (specified or implied) evaluates to a fully translated file. THAT is registered in the queue control file; and of course it must be available from the batch process at batch execution time.

Willem:
Specifing /LGI=LOGIN.COM or specifying nothing ARE a little different from security perspective:
If you specify nothing, then LOGIN.COM is search, and executed if found.
After specifically specifying it, if it is NOT found, error handling is activated (usually forced logout).

Jan
Don't rust yours pelled jacker to fine doll missed aches.
0 Kudos
Reply
Uwe Zessin
Honored Contributor

‎03-11-2004 09:15 PM

‎03-11-2004 09:15 PM

Re: Insufficient privileges to submit a batch job for a new user

Our discussion (at least mine) about SYS$LOGIN refers to LGICMD, not SUBMIT/LOG_FILE, but thanks for the reminder.

I can login without any problems when I have put a non-existing filename in LGICMD, but I don't have a restricted or captive account.
.
0 Kudos
Reply
John Henstock
New Member

‎11-30-2004 09:37 AM

‎11-30-2004 09:37 AM

Re: Insufficient privileges to submit a batch job for a new user

Hi,

I have a similiar issue which I cant seem to resolve.

When submitting a job from a captive account via an application using SNDJBCW we get a insufficient priv error.

"%RMS-E-PRV, insufficient privilege or file protection violation"

UAF:

Username: BELLAN Owner: RANSYS5_CHICAGO_DEFAULT
Account: BELLAN UIC: [31,20] ([RANSYS5,CHICAGO])
CLI: DCL Tables: DCLTABLES
Default: AXPS5_DISK_04:[CHICAGO]
LGICMD: VAX5_DISK_01:[RANSYS5]ACORN
Flags: DisCtlY Restricted Captive
Primary days: Mon Tue Wed Thu Fri
Secondary days: Sat Sun
Primary 000000000011111111112222 Secondary 000000000011111111112222
Day Hours 012345678901234567890123 Day Hours 012345678901234567890123
Network: ----- No access ------ ----- No access ------
Batch: ##### Full access ###### ##### Full access ######
Local: ##### Full access ###### ##### Full access ######
Dialup: ----- No access ------ ----- No access ------
Remote: ##### Full access ###### ##### Full access ######
Expiration: (none) Pwdminimum: 6 Login Fails: 0
Pwdlifetime: 30 00:00 Pwdchange: 26-NOV-2004 14:11
Last Login: 30-NOV-2004 16:23 (interactive), 30-NOV-2004 21:00 (non-interactive)
Maxjobs: 0 Fillm: 250 Bytlm: 66000
Maxacctjobs: 0 Shrfillm: 0 Pbytlm: 0
Maxdetach: 0 BIOlm: 300 JTquota: 4096
Prclm: 10 DIOlm: 400 WSdef: 2000
Prio: 4 ASTlm: 4096 WSquo: 15000
Queprio: 0 TQElm: 20 WSextent: 60000
CPU: (none) Enqlm: 10000 Pgflquo: 2000000
Authorized Privileges:
GRPNAM NETMBX OPER TMPMBX
Default Privileges:
GRPNAM NETMBX OPER TMPMBX


DIR/SEC :

Directory DSA4:[000000]

CHICAGO.DIR;1 [RANSYS5,CHICAGO] (RWE,RWE,RE,E)
(IDENTIFIER=[RANSYS5,IMPTRA],ACCESS=READ+WRITE+EXECUTE)
(IDENTIFIER=[RANSYS5,IMPTRA],OPTIONS=DEFAULT,ACCESS=READ+WRITE+EXECUTE)
(IDENTIFIER=[RANSYS5,*],OPTIONS=DEFAULT,ACCESS=READ+WRITE+EXECUTE+DELETE)
(IDENTIFIER=[RANSYS5,*],ACCESS=READ+WRITE+EXECUTE+DELETE)

Total of 1 file.

COM FIL:

RNSEND_EXPGCM.COM;2
[RANSYS5,RANSYS_5] (RWED,RWED,RWED,)


Any help much appreciated !!

Thanks
John
0 Kudos
Reply
Ian Miller.
Honored Contributor

‎11-30-2004 10:04 AM

‎11-30-2004 10:04 AM

Re: Insufficient privileges to submit a batch job for a new user

John, can I suggest you start a new topic for your problem as it will be clearer.
____________________
Purely Personal Opinion
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.