Read GROUP from RACF with a program

ajaehnert · New User Joined: 05 Dec 2007 Posts: 13 Location: Germany

Hi,

i search for a program(PLI) which i can use to
read the group of a USER from RACF.

when i want to read a dataset i not allowed to read, i become this :

ICH408I USER(ABCDEF) GROUP(XXX ) NAME(JAEHNERT.HERR/FA.CSG)
SYS1.VOLCAT.VGENERAL CL(DATASET ) VOL(ESARSA)
INSUFFICIENT ACCESS AUTHORITY
FROM SYS1.VOLCAT.*.** (G)
ACCESS INTENT(READ ) ACCESS ALLOWED(NONE )
***

And the same Information i need i my program to check the group of a
RACF-User.

Now we have this group coded in the first 4 charater of the userid.
in the future we want to use unique USERID without this information,
thats wy i need this informatin from RACF.
I want to check the group in both (batch and online) programs.

Can someone help me ?

expat · Posted: Wed Jul 16, 2008 2:40 pm

Don't go there ................ Go talk with your security people.

I have seen a couple of people dismissed from jobs for playing with RACF control blocks in MVS.

nevilh · Active User Joined: 01 Sep 2006 Posts: 262

Hi; The RACROUTE macro will do what you want though I do not know if you can invoke it directly from PL/I

ajaehnert · New User Joined: 05 Dec 2007 Posts: 13 Location: Germany

How can i use this RACROUTE MAcro to get this information ?

Is it possible to call the macro directly from PLI ?

dick scherrer · Posted: Wed Jul 16, 2008 9:10 pm

Hello ajaehnert,

Which part of "Go talk with your security people" did you not understand. . .?

We (the forum) are not here to provide what you are looking for. It would be quite irresponsible of us to do so. . .

Pedro · Posted: Wed Jul 16, 2008 10:23 pm

You do not need to write your own program. Use the LISTUSER command of RACF to list the information. It is not clear why you want a PLI program.

expat · Posted: Thu Jul 17, 2008 12:45 pm

If this is a security issue regarding access to data, you really need to get this sorted through the correct channels, or start looking for your next job RIGHT NOW

RACF is oh so easy to audit, and so so very difficult to bypass (But I have managed to do it once or twice

), and if you are seen to be attempting to access data to which you have no legitimate reason, and by that I mean access has been granted and documented through official procedures, many shops will reward your initiative with instant dismissal.

nevilh · Active User Joined: 01 Sep 2006 Posts: 262

I find this to be a legitimate question. If I have interpreted the OP correctly all he wishes to do is interrogate RACF in order to check the level of authorisation. This is a technique used by a multitude of software products and applications . I have worked in several installations where this technique has been used to dynamically build panels ie administrators get presented different panels to normal end-users

expat · Posted: Thu Jul 17, 2008 1:24 pm

Pedro · Posted: Thu Jul 17, 2008 9:34 pm

[quote]Use the LISTUSER command

nevilh · Active User Joined: 01 Sep 2006 Posts: 262

I am afraid we will have to agree to disagree I do not see any reason to tread lightly the information that the OP requires is freely available to non-authorised programs in areas of storage that are readily accessable . If this information was going to be modified I would say do so at your own risk. But to read this information in order to decide on what processing to perform is fairly standard.