HPE Community
Operating System - OpenVMS
1825689 Members
3590 Online
109686 Solutions
New Discussion

Privileges needed to run T4 ?

 
SOLVED
Go to solution
Jan van den Boogaard
Frequent Advisor

‎10-03-2007 10:37 PM

‎10-03-2007 10:37 PM

Privileges needed to run T4 ?

Hi,

What privileges are needed to run T4? The install doc says only ALTPRI is needed. We dont want to run T4$COLLECT under the SYSTEM account, so I made an UAF account T4USER with just ALTPRI, NETMBX, TMPMBX. But still we run into NOPRIV errors like:

disk:[T4DATA]T4$Collect_VWTA13.LOG;4

%T4FCMON-I-DISKDEVNAM, DISK device detected is _$1$DGA1201:, Unit:1201, DevType:54 (HSV110) 18020810 1C4D5008 21050281 0001
%T4FCMON-I-DISKDEVNAM, DISK device detected is _$1$DGA1202:, Unit:1202, DevType:54 (HSV110) 18020810 1C4D5008 21050281 0001
%T4FCMON-I-HIBER, Hibernating until 4-OCT-2007 11:20:00.00 before starting data collection for all mounted FC disks ...
%T4FCMON-I-STARTCOLL, Time is now 4-OCT-2007 11:20:00.00 - Starting to collect data for all mounted FC disks ...
%T4FCMON-I-COLLEVENT, Data Collection event timed at 4-OCT-2007 11:20:00.00 ...
%SYSTEM-F-NOPRIV, insufficient privilege or object protection violation
0 Kudos
6 REPLIES 6
Volker Halle
Honored Contributor

‎10-03-2007 10:51 PM

‎10-03-2007 10:51 PM

Solution

Re: Privileges needed to run T4 ?

Jan,

only HP knows what additional privileges T4 may need, but you can probably find out for yourself:

$ SET AUDIT/ALARM/ENA=ACCESS=FAILURE
$ REPLY/ENA=SECURITY

Start T4. It may be sufficient to just start T4FCmon - after setting up the expected symbols invoke @T4$SYS:T4$FC_MON.COM

Volker.
0 Kudos
Jan van den Boogaard
Frequent Advisor

‎10-04-2007 05:40 AM

‎10-04-2007 05:40 AM

Re: Privileges needed to run T4 ?

Thanks Volker!

It appears T4 needs CMKRNL and access to the accounting file.

Security audit (SECURITY) on ISLB16, system id: 32779
Auditable event: Privilege failure
Event information: CMKRNL not used to execute $CMKRNL(_64) system service ($CMKRNL or $CMKRNL_64)
Event time: 4-OCT-2007 16:45:00.01
PID: 202010B2 Parent PID: 202010A9
Process name: T4202010A9_XFC Parent process name: T4$V34_41645
Username: SVC_T4 Parent username: SVC_T4
Process owner: [SVC_T4]
Image name: DSA1:[SYS1.SYSCOMMON.T4$SYS]T4$XFC_MON.EXE;1
Privileges missing: CMKRNL
Posix UID: -2 Parent Posix UID: -2
Posix GID: -2 (%XFFFFFFFE) Parent Posix GID: -2 (%XFFFFFFFE)



Security audit (SECURITY) on ISLB16, system id: 32779
Auditable event: Privilege failure
Event information: CMKRNL not used to execute $CMKRNL(_64) system service ($CMKRNL or $CMKRNL_64)
Event time: 4-OCT-2007 16:45:00.01
PID: 202010B3 Parent PID: 202010A9
Process name: T4202010A9_Lck7 Parent process name: T4$V34_41645
Username: SVC_T4 Parent username: SVC_T4
Process owner: [SVC_T4]
Image name: DSA1:[SYS1.SYSCOMMON.T4$SYS]T4$LCK73_MON.EXE;1
Privileges missing: CMKRNL
Posix UID: -2 Parent Posix UID: -2
Posix GID: -2 (%XFFFFFFFE) Parent Posix GID: -2 (%XFFFFFFFE)

0 Kudos
Jan van den Boogaard
Frequent Advisor

‎10-04-2007 05:42 AM

‎10-04-2007 05:42 AM

Re: Privileges needed to run T4 ?

T4 needs CMKRNL and write access to the accounting file.
0 Kudos
Volker Halle
Honored Contributor

‎10-04-2007 05:54 AM

‎10-04-2007 05:54 AM

Re: Privileges needed to run T4 ?

Jan,

you can certainly install the additional T4 utilites requiring CMKRNL with /PRIV=CMKRNL, so you don't need to grant this privilege to your T4USER account.

But WRITE access to ACCOUNTNG.DAT - are you sure ? Read access would be understandable for the ACLG statistics (login times), but write access ??

Volker.
0 Kudos
Robert Gezelter
Honored Contributor

‎10-04-2007 06:54 AM

‎10-04-2007 06:54 AM

Re: Privileges needed to run T4 ?

Jan,

In the event that it is useful.

One can (and I have) implement much of the data gathering by running the jobs manually in batch. It is not as elegant, but it does produce the data needed to build the data files and analyze the graphs.

In the case of some of my clients, I have needed to analyze the performance of systems too old to install the T4 kit.

- Bob Gezelter, http://www.rlgsc.com
0 Kudos
Jan van den Boogaard
Frequent Advisor

‎10-08-2007 01:34 AM

‎10-08-2007 01:34 AM

Re: Privileges needed to run T4 ?

Volker,

You're absolutely right! Only read access to the ACCOUNTNG file is required by T4, audit says so clearly:

%%%%%%%%%%% OPCOM 8-OCT-2007 14:50:05.53 %%%%%%%%%%%
Message from user AUDIT$SERVER on ISLB16
Security alarm (SECURITY) on ISLB16, system id: 32779
Auditable event: Object access
Event information: file access request (IO$_ACCESS or IO$_CREATE)
Event time: 8-OCT-2007 14:50:05.53
PID: 20201064
Process name: T4$V34_81440
Username: SVC_T4
Process owner: [SVC_T4]
Image name: DSA1:[VMS$COMMON.T4$SYS]T4$ACLG.EXE;1
Object class name: FILE
Object owner: [SYSTEM]
Object protection: SYSTEM:RWED, OWNER:RWED, GROUP:, WORLD:
File name: _DSA2:[ISLB16.ACCOUNTNG]ACCOUNTNG.DAT;1
File ID: (231,1,0)
Access requested: READ
Posix UID: -2
Posix GID: -2 (%XFFFFFFFE)
Sequence key: 000B600A
Status: %SYSTEM-F-NOPRIV, insufficient privilege or object protection violation

Thks again for your help.
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.