Portal | Manuals | References | Downloads | Info | Programs | JCLs | Master the Mainframes
IBM Mainframe Computers Forums Index
 
Register
 
IBM Mainframe Computers Forums Index Mainframe: Search IBM Mainframe Forum: FAQ Memberlist Usergroups Profile Log in to check your private messages Log in
 

 

Read GROUP from RACF with a program

 
Post new topic   Reply to topic    IBMMAINFRAMES.com Support Forums -> All Other Mainframe Topics
View previous topic :: :: View next topic  
Author Message
ajaehnert

New User


Joined: 05 Dec 2007
Posts: 13
Location: Germany

PostPosted: Wed Jul 16, 2008 12:21 pm    Post subject: Read GROUP from RACF with a program
Reply with quote

Hi,

i search for a program(PLI) which i can use to
read the group of a USER from RACF.

when i want to read a dataset i not allowed to read, i become this :

ICH408I USER(ABCDEF) GROUP(XXX ) NAME(JAEHNERT.HERR/FA.CSG)
SYS1.VOLCAT.VGENERAL CL(DATASET ) VOL(ESARSA)
INSUFFICIENT ACCESS AUTHORITY
FROM SYS1.VOLCAT.*.** (G)
ACCESS INTENT(READ ) ACCESS ALLOWED(NONE )
***

And the same Information i need i my program to check the group of a
RACF-User.

Now we have this group coded in the first 4 charater of the userid.
in the future we want to use unique USERID without this information,
thats wy i need this informatin from RACF.
I want to check the group in both (batch and online) programs.

Can someone help me ?
Back to top
View user's profile Send private message

expat

Global Moderator


Joined: 14 Mar 2007
Posts: 8593
Location: Back in jolly old England

PostPosted: Wed Jul 16, 2008 2:40 pm    Post subject:
Reply with quote

Don't go there ................ Go talk with your security people.

I have seen a couple of people dismissed from jobs for playing with RACF control blocks in MVS.
Back to top
View user's profile Send private message
nevilh

Active User


Joined: 01 Sep 2006
Posts: 258

PostPosted: Wed Jul 16, 2008 3:06 pm    Post subject:
Reply with quote

Hi; The RACROUTE macro will do what you want though I do not know if you can invoke it directly from PL/I
Back to top
View user's profile Send private message
ajaehnert

New User


Joined: 05 Dec 2007
Posts: 13
Location: Germany

PostPosted: Wed Jul 16, 2008 3:46 pm    Post subject:
Reply with quote

How can i use this RACROUTE MAcro to get this information ?

Is it possible to call the macro directly from PLI ?
Back to top
View user's profile Send private message
dick scherrer

Site Director


Joined: 23 Nov 2006
Posts: 19270
Location: Inside the Matrix

PostPosted: Wed Jul 16, 2008 9:10 pm    Post subject:
Reply with quote

Hello ajaehnert,

Which part of "Go talk with your security people" did you not understand. . .?

We (the forum) are not here to provide what you are looking for. It would be quite irresponsible of us to do so. . .
Back to top
View user's profile Send private message
Pedro

Senior Member


Joined: 01 Sep 2006
Posts: 2058
Location: Silicon Valley

PostPosted: Wed Jul 16, 2008 10:23 pm    Post subject: Reply to: Read GROUP from RACF with a program
Reply with quote

You do not need to write your own program. Use the LISTUSER command of RACF to list the information. It is not clear why you want a PLI program.
Back to top
View user's profile Send private message
expat

Global Moderator


Joined: 14 Mar 2007
Posts: 8593
Location: Back in jolly old England

PostPosted: Thu Jul 17, 2008 12:45 pm    Post subject:
Reply with quote

If this is a security issue regarding access to data, you really need to get this sorted through the correct channels, or start looking for your next job RIGHT NOW

RACF is oh so easy to audit, and so so very difficult to bypass (But I have managed to do it once or twice icon_eek.gif ), and if you are seen to be attempting to access data to which you have no legitimate reason, and by that I mean access has been granted and documented through official procedures, many shops will reward your initiative with instant dismissal.
Back to top
View user's profile Send private message
nevilh

Active User


Joined: 01 Sep 2006
Posts: 258

PostPosted: Thu Jul 17, 2008 1:17 pm    Post subject:
Reply with quote

I find this to be a legitimate question. If I have interpreted the OP correctly all he wishes to do is interrogate RACF in order to check the level of authorisation. This is a technique used by a multitude of software products and applications . I have worked in several installations where this technique has been used to dynamically build panels ie administrators get presented different panels to normal end-users
Back to top
View user's profile Send private message
expat

Global Moderator


Joined: 14 Mar 2007
Posts: 8593
Location: Back in jolly old England

PostPosted: Thu Jul 17, 2008 1:24 pm    Post subject:
Reply with quote

nevilh wrote:
I find this to be a legitimate question. If I have interpreted the OP correctly all he wishes to do is interrogate RACF in order to check the level of authorisation. This is a technique used by a multitude of software products and applications . I have worked in several installations where this technique has been used to dynamically build panels ie administrators get presented different panels to normal end-users

That may be so, but where security policy is involved it is always better to know what you are allowed to do, and what you are not allowed to do. I have worked in one shop where playing with anthing remotely related to interrogating RACF was instant dismissal unless coordinated via the security admin team. And yes, they did fire people for that offence, but then again they fired one guy for leaving his desk and not locking his terminal icon_confused.gif

Personally, I don't give a monkeys what the OP gets up to, but just offering some advice based on experience that may help CHA.
Back to top
View user's profile Send private message
Pedro

Senior Member


Joined: 01 Sep 2006
Posts: 2058
Location: Silicon Valley

PostPosted: Thu Jul 17, 2008 9:34 pm    Post subject: Reply to: Read GROUP from RACF with a program
Reply with quote

[quote]Use the LISTUSER command
Quote:

I should add that a normal user can only list their own userid. You need higher authorities to list other people's group information.

I agree with Expat that you should tread lightly.
Back to top
View user's profile Send private message
nevilh

Active User


Joined: 01 Sep 2006
Posts: 258

PostPosted: Fri Jul 18, 2008 1:36 am    Post subject:
Reply with quote

I am afraid we will have to agree to disagree I do not see any reason to tread lightly the information that the OP requires is freely available to non-authorised programs in areas of storage that are readily accessable . If this information was going to be modified I would say do so at your own risk. But to read this information in order to decide on what processing to perform is fairly standard.
Back to top
View user's profile Send private message
View previous topic :: :: View next topic  
Post new topic   Reply to topic    IBMMAINFRAMES.com Support Forums -> All Other Mainframe Topics All times are GMT + 6 Hours
Page 1 of 1

 

Search our Forum:

Similar Topics
Topic Author Forum Replies Posted
No new posts Read two inputs and write into output... murali.andaluri DFSORT/ICETOOL 5 Wed Jul 26, 2017 7:35 pm
No new posts Writing a file using online program grvtomar PL/I & Assembler 3 Fri Jun 30, 2017 1:06 pm
No new posts pre-compiler for program in an HFS Pedro DB2 0 Fri Jun 23, 2017 11:13 pm
No new posts Compiling program in endeavor for tra... RALAKKAL Compuware & Other Tools 4 Mon Jun 05, 2017 8:27 pm
No new posts COBOL DB2 program - zIIP eligible vasanthz COBOL Programming 7 Wed May 31, 2017 5:12 am


Facebook
Back to Top
 
Mainframe Wiki | Forum Rules | Bookmarks | Subscriptions | FAQ | Tutorials | Contact Us