Portal | Manuals | References | Downloads | Info | Programs | JCLs | Mainframe wiki | Quick Ref
IBM Mainframe Computers Forums Index
 
Register
 
IBM Mainframe Computers Forums Index Mainframe: Search IBM Mainframe Forum: FAQ Memberlist Profile Log in to check your private messages Log in
 
Read GROUP from RACF with a program

 
Post new topic   Reply to topic    IBMMAINFRAMES.com Support Forums -> All Other Mainframe Topics
View previous topic :: :: View next topic  
Author Message
ajaehnert

New User


Joined: 05 Dec 2007
Posts: 13
Location: Germany

PostPosted: Wed Jul 16, 2008 12:21 pm    Post subject: Read GROUP from RACF with a program
Reply with quote

Hi,

i search for a program(PLI) which i can use to
read the group of a USER from RACF.

when i want to read a dataset i not allowed to read, i become this :

ICH408I USER(ABCDEF) GROUP(XXX ) NAME(JAEHNERT.HERR/FA.CSG)
SYS1.VOLCAT.VGENERAL CL(DATASET ) VOL(ESARSA)
INSUFFICIENT ACCESS AUTHORITY
FROM SYS1.VOLCAT.*.** (G)
ACCESS INTENT(READ ) ACCESS ALLOWED(NONE )
***

And the same Information i need i my program to check the group of a
RACF-User.

Now we have this group coded in the first 4 charater of the userid.
in the future we want to use unique USERID without this information,
thats wy i need this informatin from RACF.
I want to check the group in both (batch and online) programs.

Can someone help me ?
Back to top
View user's profile Send private message

expat

Global Moderator


Joined: 14 Mar 2007
Posts: 8593
Location: Back in jolly old England

PostPosted: Wed Jul 16, 2008 2:40 pm    Post subject:
Reply with quote

Don't go there ................ Go talk with your security people.

I have seen a couple of people dismissed from jobs for playing with RACF control blocks in MVS.
Back to top
View user's profile Send private message
nevilh

Active User


Joined: 01 Sep 2006
Posts: 259

PostPosted: Wed Jul 16, 2008 3:06 pm    Post subject:
Reply with quote

Hi; The RACROUTE macro will do what you want though I do not know if you can invoke it directly from PL/I
Back to top
View user's profile Send private message
ajaehnert

New User


Joined: 05 Dec 2007
Posts: 13
Location: Germany

PostPosted: Wed Jul 16, 2008 3:46 pm    Post subject:
Reply with quote

How can i use this RACROUTE MAcro to get this information ?

Is it possible to call the macro directly from PLI ?
Back to top
View user's profile Send private message
dick scherrer

Site Director


Joined: 23 Nov 2006
Posts: 19270
Location: Inside the Matrix

PostPosted: Wed Jul 16, 2008 9:10 pm    Post subject:
Reply with quote

Hello ajaehnert,

Which part of "Go talk with your security people" did you not understand. . .?

We (the forum) are not here to provide what you are looking for. It would be quite irresponsible of us to do so. . .
Back to top
View user's profile Send private message
Pedro

Senior Member


Joined: 01 Sep 2006
Posts: 2086
Location: Silicon Valley

PostPosted: Wed Jul 16, 2008 10:23 pm    Post subject: Reply to: Read GROUP from RACF with a program
Reply with quote

You do not need to write your own program. Use the LISTUSER command of RACF to list the information. It is not clear why you want a PLI program.
Back to top
View user's profile Send private message
expat

Global Moderator


Joined: 14 Mar 2007
Posts: 8593
Location: Back in jolly old England

PostPosted: Thu Jul 17, 2008 12:45 pm    Post subject:
Reply with quote

If this is a security issue regarding access to data, you really need to get this sorted through the correct channels, or start looking for your next job RIGHT NOW

RACF is oh so easy to audit, and so so very difficult to bypass (But I have managed to do it once or twice icon_eek.gif ), and if you are seen to be attempting to access data to which you have no legitimate reason, and by that I mean access has been granted and documented through official procedures, many shops will reward your initiative with instant dismissal.
Back to top
View user's profile Send private message
nevilh

Active User


Joined: 01 Sep 2006
Posts: 259

PostPosted: Thu Jul 17, 2008 1:17 pm    Post subject:
Reply with quote

I find this to be a legitimate question. If I have interpreted the OP correctly all he wishes to do is interrogate RACF in order to check the level of authorisation. This is a technique used by a multitude of software products and applications . I have worked in several installations where this technique has been used to dynamically build panels ie administrators get presented different panels to normal end-users
Back to top
View user's profile Send private message
expat

Global Moderator


Joined: 14 Mar 2007
Posts: 8593
Location: Back in jolly old England

PostPosted: Thu Jul 17, 2008 1:24 pm    Post subject:
Reply with quote

nevilh wrote:
I find this to be a legitimate question. If I have interpreted the OP correctly all he wishes to do is interrogate RACF in order to check the level of authorisation. This is a technique used by a multitude of software products and applications . I have worked in several installations where this technique has been used to dynamically build panels ie administrators get presented different panels to normal end-users

That may be so, but where security policy is involved it is always better to know what you are allowed to do, and what you are not allowed to do. I have worked in one shop where playing with anthing remotely related to interrogating RACF was instant dismissal unless coordinated via the security admin team. And yes, they did fire people for that offence, but then again they fired one guy for leaving his desk and not locking his terminal icon_confused.gif

Personally, I don't give a monkeys what the OP gets up to, but just offering some advice based on experience that may help CHA.
Back to top
View user's profile Send private message
Pedro

Senior Member


Joined: 01 Sep 2006
Posts: 2086
Location: Silicon Valley

PostPosted: Thu Jul 17, 2008 9:34 pm    Post subject: Reply to: Read GROUP from RACF with a program
Reply with quote

[quote]Use the LISTUSER command
Quote:

I should add that a normal user can only list their own userid. You need higher authorities to list other people's group information.

I agree with Expat that you should tread lightly.
Back to top
View user's profile Send private message
nevilh

Active User


Joined: 01 Sep 2006
Posts: 259

PostPosted: Fri Jul 18, 2008 1:36 am    Post subject:
Reply with quote

I am afraid we will have to agree to disagree I do not see any reason to tread lightly the information that the OP requires is freely available to non-authorised programs in areas of storage that are readily accessable . If this information was going to be modified I would say do so at your own risk. But to read this information in order to decide on what processing to perform is fairly standard.
Back to top
View user's profile Send private message
View previous topic :: :: View next topic  
Post new topic   Reply to topic    IBMMAINFRAMES.com Support Forums -> All Other Mainframe Topics All times are GMT + 6 Hours
Page 1 of 1

 

Search our Forum:

Similar Topics
Topic Author Forum Replies Posted
No new posts How to write Rexx program to size and... sreejeshcs CLIST & REXX 14 Thu Oct 12, 2017 7:26 am
No new posts Accessing CICS tran with map from JCL... navdeepaggarwal CICS 5 Tue Oct 03, 2017 6:15 pm
No new posts column with count of rows within dist... ronald wouterson DB2 4 Sun Sep 17, 2017 9:48 pm
No new posts how to see when the last read access ... Mike 1304 DB2 1 Tue Sep 12, 2017 7:52 pm
This topic is locked: you cannot edit posts or make replies. Limit access to certain RACF group cvnlynn CLIST & REXX 5 Wed Aug 23, 2017 2:28 am

Facebook
Back to Top
 
Job Vacancies | Forum Rules | Bookmarks | Subscriptions | FAQ | Polls | Contact Us