View previous topic :: View next topic
|
Author |
Message |
ajaehnert
New User
Joined: 05 Dec 2007 Posts: 13 Location: Germany
|
|
|
|
Hi,
i search for a program(PLI) which i can use to
read the group of a USER from RACF.
when i want to read a dataset i not allowed to read, i become this :
ICH408I USER(ABCDEF) GROUP(XXX ) NAME(JAEHNERT.HERR/FA.CSG)
SYS1.VOLCAT.VGENERAL CL(DATASET ) VOL(ESARSA)
INSUFFICIENT ACCESS AUTHORITY
FROM SYS1.VOLCAT.*.** (G)
ACCESS INTENT(READ ) ACCESS ALLOWED(NONE )
***
And the same Information i need i my program to check the group of a
RACF-User.
Now we have this group coded in the first 4 charater of the userid.
in the future we want to use unique USERID without this information,
thats wy i need this informatin from RACF.
I want to check the group in both (batch and online) programs.
Can someone help me ? |
|
Back to top |
|
|
expat
Global Moderator
Joined: 14 Mar 2007 Posts: 8797 Location: Welsh Wales
|
|
|
|
Don't go there ................ Go talk with your security people.
I have seen a couple of people dismissed from jobs for playing with RACF control blocks in MVS. |
|
Back to top |
|
|
nevilh
Active User
Joined: 01 Sep 2006 Posts: 262
|
|
|
|
Hi; The RACROUTE macro will do what you want though I do not know if you can invoke it directly from PL/I |
|
Back to top |
|
|
ajaehnert
New User
Joined: 05 Dec 2007 Posts: 13 Location: Germany
|
|
|
|
How can i use this RACROUTE MAcro to get this information ?
Is it possible to call the macro directly from PLI ? |
|
Back to top |
|
|
dick scherrer
Moderator Emeritus
Joined: 23 Nov 2006 Posts: 19244 Location: Inside the Matrix
|
|
|
|
Hello ajaehnert,
Which part of "Go talk with your security people" did you not understand. . .?
We (the forum) are not here to provide what you are looking for. It would be quite irresponsible of us to do so. . . |
|
Back to top |
|
|
Pedro
Global Moderator
Joined: 01 Sep 2006 Posts: 2547 Location: Silicon Valley
|
|
|
|
You do not need to write your own program. Use the LISTUSER command of RACF to list the information. It is not clear why you want a PLI program. |
|
Back to top |
|
|
expat
Global Moderator
Joined: 14 Mar 2007 Posts: 8797 Location: Welsh Wales
|
|
|
|
If this is a security issue regarding access to data, you really need to get this sorted through the correct channels, or start looking for your next job RIGHT NOW
RACF is oh so easy to audit, and so so very difficult to bypass (But I have managed to do it once or twice ), and if you are seen to be attempting to access data to which you have no legitimate reason, and by that I mean access has been granted and documented through official procedures, many shops will reward your initiative with instant dismissal. |
|
Back to top |
|
|
nevilh
Active User
Joined: 01 Sep 2006 Posts: 262
|
|
|
|
I find this to be a legitimate question. If I have interpreted the OP correctly all he wishes to do is interrogate RACF in order to check the level of authorisation. This is a technique used by a multitude of software products and applications . I have worked in several installations where this technique has been used to dynamically build panels ie administrators get presented different panels to normal end-users |
|
Back to top |
|
|
expat
Global Moderator
Joined: 14 Mar 2007 Posts: 8797 Location: Welsh Wales
|
|
|
|
nevilh wrote: |
I find this to be a legitimate question. If I have interpreted the OP correctly all he wishes to do is interrogate RACF in order to check the level of authorisation. This is a technique used by a multitude of software products and applications . I have worked in several installations where this technique has been used to dynamically build panels ie administrators get presented different panels to normal end-users |
That may be so, but where security policy is involved it is always better to know what you are allowed to do, and what you are not allowed to do. I have worked in one shop where playing with anthing remotely related to interrogating RACF was instant dismissal unless coordinated via the security admin team. And yes, they did fire people for that offence, but then again they fired one guy for leaving his desk and not locking his terminal
Personally, I don't give a monkeys what the OP gets up to, but just offering some advice based on experience that may help CHA. |
|
Back to top |
|
|
Pedro
Global Moderator
Joined: 01 Sep 2006 Posts: 2547 Location: Silicon Valley
|
|
|
|
[quote]Use the LISTUSER command
Quote: |
I should add that a normal user can only list their own userid. You need higher authorities to list other people's group information.
I agree with Expat that you should tread lightly. |
|
|
Back to top |
|
|
nevilh
Active User
Joined: 01 Sep 2006 Posts: 262
|
|
|
|
I am afraid we will have to agree to disagree I do not see any reason to tread lightly the information that the OP requires is freely available to non-authorised programs in areas of storage that are readily accessable . If this information was going to be modified I would say do so at your own risk. But to read this information in order to decide on what processing to perform is fairly standard. |
|
Back to top |
|
|
|