|
|
| Author |
Message |
cybertaurean
New User
Joined: 22 Dec 2008
Posts: 15
Location: Scottsdale
|
|
|
|
Hi All,
Is there any method to check for EXECUTE rights for a RACF-ID on a dataset without submitting a job referencing the same dataset.
I believe EXECUTE is a different kind of access compared to EDIT (Anyone well-versed with the access levels, please let me know about this in detail).
Regards,
Sumesh |
|
| Back to top |
|
 |
References
|
|
 |
PeterHolland
Active Member
Joined: 27 Oct 2009
Posts: 507
Location: Netherlands, Amstelveen
|
|
|
|
| Command TSO LD will give you that info. |
|
| Back to top |
|
|
Anuj Dhawan
Global Moderator
Joined: 22 Apr 2006
Posts: 4067
Location: Mumbai, India
|
|
|
|
| It should be noted that RACF command may be disabled for your ID - in other words you might not have the autority to issue that command, as an end-user. |
|
| Back to top |
|
|
Robert Sample
Global Moderator
Joined: 06 Jun 2008
Posts: 4223
Location: Atlanta, GA
|
|
|
|
There's three types of access in RACF.
For a normal data set, the levels of access RACF permits are (and these are hierarchical in that UPDATE implies READ for example):
NONE (no access allowed)
EXECUTE (for programs and datasets only)
READ (read only access)
UPDATE (read and write access)
CONTROL (can delete and define the data set)
ALTER (can allow others access to the data set)
Note that EDIT is not an access level -- but EDIT implies at least UPDATE authority. Someone who can edit the data set may be able to delete all the records in the file, for example, but without CONTROL authority will not be able to physically delete the data set.
For Unix System Services data sets, the permissions for the directory and the file come into play -- if you don't have access to the directory, for example, it doesn't matter that the file is open to everyone.
Finally, there are facilities in RACF that can be granted (such as the ability to invoke su in Unix System Services that changes the person's user id temporarily to root -- or 0 -- access).
Since there can be generic and specific profiles set up for a given data set, RACF qualifies at the lowest level. That is, if there is UACC(READ) (universal access of read) on HLQ.ABC.* but HLQ.ABC.XYZ has UACC(NONE), the latter will apply to the data set HLQ.ABC.XYZ.
If you are not a security administrator, most sites will not give you permission to find out the RACF rules in place for a given data set or program. In such a case, you must consult your site support group to get the specifics. |
|
| Back to top |
|
|
Kjeld
New User
Joined: 15 Dec 2009
Posts: 71
Location: Denmark
|
|
|
|
| Quote: |
If you are not a security administrator, most sites will not give you permission to find out the RACF rules in place for a given data set or program. In such a case, you must consult your site support group to get the specifics.
|
Some sites may have distributed the data ownership and access approval to organisational units in the IT or in the business administration, in which case you could expect some kind of management reporting on data access to exist.
This reporting is often accomplished using some front end commercial security tools with reporting capabilities to interface with RACF. |
|
| Back to top |
|
|
cybertaurean
New User
Joined: 22 Dec 2008
Posts: 15
Location: Scottsdale
|
|
|
|
Thanks a lot for the replies!!!
However, I do not have the privilege to execute the command 
Any other options like a TSO command that can be typed right infront of the dataset to check for privileges (please suggest some CLIST/REXX that can be created for the same without the implicit use of LD ;) )
Regards,
Sumesh |
|
| Back to top |
|
|
Robert Sample
Global Moderator
Joined: 06 Jun 2008
Posts: 4223
Location: Atlanta, GA
|
|
|
|
| Quote: |
| Any other options like a TSO command that can be typed right infront of the dataset to check for privileges (please suggest some CLIST/REXX that can be created for the same without the implicit use of LD ;) ) |
You do not want to start down this path. Many sites will immediately terminate an employee who is discovered to be attempting to violate the security restrictions in place. If you do not have authority to issue the command, your only -- and highly recommended -- option is to contact your site security group and request them to provide you with the required information. If you don't have the authority, you cannot get it by executing a clist or rexx program. |
|
| Back to top |
|
|
cybertaurean
New User
Joined: 22 Dec 2008
Posts: 15
Location: Scottsdale
|
|
|
|
hmm...point taken  . This topic can then be closed. |
|
| Back to top |
|
|
|
|
