Discussion:
Guardian error 48 opening file
(too old to reply)
Bry Pas
2023-03-13 17:05:57 UTC
Permalink
Hello Tandem experts,

Encountered this Guardian error 48 when an Operator ID (230,1) runs the program owned by a user within its group (230,254)

Here's the scenario, operator runs the program and got an error
RUN GGSCI
OGG ERROR 103 Guardian error 48 opening file $DISK.SUBVOL.GROUP

File security set to
RWEP
GOGO

FILE OWNER is 230,254
User ID running the program is 230,1

Anyone knows how to fix this? Your feedback is very much appreciated! Thank you.
JShepherd
2023-03-13 17:50:12 UTC
Permalink
Post by Bry Pas
Hello Tandem experts,
Encountered this Guardian error 48 when an Operator ID (230,1) runs the
program
Post by Bry Pas
owned by a user within its group (230,254)
Here's the scenario, operator runs the program and got an error
RUN GGSCI
OGG ERROR 103 Guardian error 48 opening file $DISK.SUBVOL.GROUP
File security set to
RWEP
GOGO
FILE OWNER is 230,254
User ID running the program is 230,1
Anyone knows how to fix this? Your feedback is very much appreciated! Thank you.
Is the application, as 230,1, opening the file for write access ?

If the owner is 230,254 and the security is "GOGO" then
only the owner 230,254 has write acesss
keit...@gmail.com
2023-03-13 21:14:33 UTC
Permalink
Post by Bry Pas
Hello Tandem experts,
Encountered this Guardian error 48 when an Operator ID (230,1) runs the program owned by a user within its group (230,254)
Here's the scenario, operator runs the program and got an error
RUN GGSCI
OGG ERROR 103 Guardian error 48 opening file $DISK.SUBVOL.GROUP
File security set to
RWEP
GOGO
FILE OWNER is 230,254
User ID running the program is 230,1
Anyone knows how to fix this? Your feedback is very much appreciated! Thank you.
Did you check if there were any Safeguard rules on the file, disk, or volume? SAFECOM INFO ... Also, the audit trail of safeguard will tell you if there was a rejection and why.
I hope that this helps.
Bry Pas
2023-03-14 13:50:14 UTC
Permalink
Did you check if there were any Safeguard rules on the file, disk, or volume? SAFECOM INFO ... Also, the audit trail of safeguard will tell you if there was a rejection and why.
I hope that this helps.
Hello Keit, JSheperd,

Thanks for your replies.

Are there any options aside from SAFEGUARD control? We would like to set PROGID of this file but not sure what is the effect, does it make the file accessible to any users in the system?
Bill Honaker
2023-03-14 17:31:42 UTC
Permalink
Post by Bry Pas
Did you check if there were any Safeguard rules on the file, disk, or volume? SAFECOM INFO ... Also, the audit trail of safeguard will tell you if there was a rejection and why.
I hope that this helps.
Hello Keit, JSheperd,
Thanks for your replies.
Are there any options aside from SAFEGUARD control? We would like to set PROGID of this file but not sure what is the effect, does it make the file accessible to any users in the system?
Bry Pas,

It would not. PROGID is only applicable to Guardian executable files (Code 100, 500, 700). When set, and when a process is started using that as the Program
File Name, the process runs wita 'PAID' (Process Access ID)' of the owner of the file.

Setting the 'WRITE' security byte (the second of the 4 bytes) to an appropriate value affects whether a program can open the file for Write access.
If you need more granularity than that for controlling access, you must use Safeguard.

Hope that helps,
Bill
JShepherd
2023-03-15 16:39:49 UTC
Permalink
Post by ***@gmail.com
Did you check if there were any Safeguard rules on the file, disk, or
volume?
SAFECOM INFO ... Also, the audit trail of safeguard will tell you if there
was a
rejection and why.
Post by ***@gmail.com
I hope that this helps.
Hello Keit, JSheperd,
Thanks for your replies.
Are there any options aside from SAFEGUARD control? We would like to set
PROGID
of this file but not sure what is the effect, does it make the file
accessible t
o any users in the system?
Safeguard is the solution.

Safeguard Access Control Lists (ACLs) will override enscribe security.

One example of a volume level ACL.
Safecom run as super.super

safecom

add volume $VOL
ALTER VOLUME $VOL ACCESS GROUP NUMBER \*.00255 (R,W,E,P,C,O)
ALTER VOLUME $VOL ACCESS GROUP NUMBER \*.00100 (R,W,E,P,C,O)
ALTER VOLUME $VOL ACCESS GROUP NUMBER \*.00130 (R, E)
ALTER VOLUME $VOL ACCESS GROUP NUMBER \*.00140 (R,W,E)
ALTER VOLUME $VOL ACCESS GROUP NUMBER \*.00160 (R,W,E)
ALTER VOLUME $VOL ACCESS GROUP NUMBER \*.00200 (R, E)

ACLs can be volume level or subvol level or diskfile level
or any combination of those.
Randall
2023-03-15 19:20:31 UTC
Permalink
Post by Bry Pas
Did you check if there were any Safeguard rules on the file, disk, or volume? SAFECOM INFO ... Also, the audit trail of safeguard will tell you if there was a rejection and why.
I hope that this helps.
Hello Keit, JSheperd,
Thanks for your replies.
Are there any options aside from SAFEGUARD control? We would like to set PROGID of this file but not sure what is the effect, does it make the file accessible to any users in the system?
You could consider running the program in an XAC session (XYGATE). That would allow the operator to switch users to the owner. However, if you are running GoldenGate (GGSCI?), you might want to examine your security rules more deeply. SafeGuard is more likely the solution as others have said, or changing the program to open the file read-protected or read-shared.
--Randall
Bry Pas
2023-03-31 12:33:41 UTC
Permalink
Thank you all for the inputs. Resolved it by adding Safeguard access to subvol level. Cheers!
Loading...