Portal | Manuals | References | Downloads | Info | Programs | JCLs | Master the Mainframes
IBM Mainframe Computers Forums Index
 
Register
 
IBM Mainframe Computers Forums Index Mainframe: Search IBM Mainframe Forum: FAQ Memberlist Usergroups Profile Log in to check your private messages Log in
 

 

Specific authorization for a REXX program

 
Post new topic   Reply to topic    IBMMAINFRAMES.com Support Forums -> CLIST & REXX
View previous topic :: :: View next topic  
Author Message
girishbs13

New User


Joined: 11 Nov 2011
Posts: 24
Location: India

PostPosted: Thu Jun 12, 2014 11:39 am    Post subject: Specific authorization for a REXX program
Reply with quote

Hi All,

We are in the process of developing an in house Rexx utility.
Our requirement is such that users should be provided privileges to edit specific data sets when they run the Rexx utility, but they should not be allowed to edit the data set using ISPF 3.4 option.

Will anyone be able to guide me on how this could be achieved?
I had already checked with my security admin team they say that authorization levels are specific to user groups.

Thanks,
Sabari Girish
Back to top
View user's profile Send private message

enrico-sorichetti

Global Moderator


Joined: 14 Mar 2007
Posts: 10203
Location: italy

PostPosted: Thu Jun 12, 2014 3:58 pm    Post subject: Reply to: Specific authorization for a REXX program
Reply with quote

see here :

http://www-01.ibm.com/support/knowledgecenter/?lang=en#!/SSLTBW_1.12.0/com.ibm.zos.r12.icha700/ichza7b088.htm%23wq280

but Your security support should have known about it

unfortunately You will have to write a program ,
rexx is not enough
Back to top
View user's profile Send private message
Pedro

Senior Member


Joined: 01 Sep 2006
Posts: 2019
Location: Silicon Valley

PostPosted: Thu Jun 12, 2014 7:17 pm    Post subject: Reply to: Specific authorization for a REXX program
Reply with quote

The quirk here is that it is not your program that will update the data set. It is the ISPF editor.

Instead of the actual editor, you can read the data set, save the records into control blocks, then call the EDIF service, with your EDIF exits being able to extract from your control blocks before editing and being able to put them back after editing.
Back to top
View user's profile Send private message
enrico-sorichetti

Global Moderator


Joined: 14 Mar 2007
Posts: 10203
Location: italy

PostPosted: Thu Jun 12, 2014 7:29 pm    Post subject: Reply to: Specific authorization for a REXX program
Reply with quote

in this case it is the EDIT concept that is murky
if using ISPF edit then it will make no difference if the EDIT is invoked directly fro ISPF
or a user prolog

if the updates are critical then EDIT is not the best tool

there are too many ways of clobbering a dataset
icon_cool.gif
Back to top
View user's profile Send private message
Pedro

Senior Member


Joined: 01 Sep 2006
Posts: 2019
Location: Silicon Valley

PostPosted: Thu Jun 12, 2014 9:20 pm    Post subject: Reply to: Specific authorization for a REXX program
Reply with quote

Quote:
if the updates are critical then EDIT is not the best tool

The poster did not explain the actual data set. If the records have a specific format, for example a timestamp in columns 10-30, then would be better to present the records in an ISPF table where the user can select a row to 'edit'. You would parse the record and present each field individually in a data entry panel to the user. In this way, you can control and verify each field of the record. When the user is done changing the fields, recompose the record and save it back to the table. When done with the table, save it back to a data set.
Back to top
View user's profile Send private message
Pedro

Senior Member


Joined: 01 Sep 2006
Posts: 2019
Location: Silicon Valley

PostPosted: Thu Jun 12, 2014 10:07 pm    Post subject: Reply to: Specific authorization for a REXX program
Reply with quote

Getting back to authorizations...

I do not have direct experience, but my recollection was that in order to use the RACF program control capability, the program needed be APF authorized. This complicates your scenario because programs that use ISPF services cannot be APF authorized. You need two programs: 1) for data access, and 2) for ISPF stuff.
Back to top
View user's profile Send private message
girishbs13

New User


Joined: 11 Nov 2011
Posts: 24
Location: India

PostPosted: Fri Jun 13, 2014 9:56 am    Post subject:
Reply with quote

Enrico,Pedro,

Many thanks for the suggestions. The data sets that I'm trying to edit are unstructured, so don't think I will be able to use an ISPF table.

I think I'm better off copying the data to an Userid.* data set during edit and then copying the data back to the original data set. In this was the user will never know the actual PDS name where the data resides.

Any other way of doing this ?

Thanks,
Sabari Girish
Back to top
View user's profile Send private message
enrico-sorichetti

Global Moderator


Joined: 14 Mar 2007
Posts: 10203
Location: italy

PostPosted: Fri Jun 13, 2014 10:13 am    Post subject: Reply to: Specific authorization for a REXX program
Reply with quote

Quote:
]I think I'm better off copying the data to an Userid.* data set during edit and then copying the data back to the original data set. In this was the user will never know the actual PDS name where the data resides.

pretty useless complication ...
anybody looking at the TSO log ( using SDSF ) will find the dataset name in the allocation messages


looks like nobody in this organization has the slightest idea about proper data security ...
security by hiding things... somebody could not find a stupidest idea icon_cool.gif
Back to top
View user's profile Send private message
girishbs13

New User


Joined: 11 Nov 2011
Posts: 24
Location: India

PostPosted: Fri Jun 13, 2014 11:59 am    Post subject:
Reply with quote

Only because we don't know how it could be done its posted here?

It would be USEFUL to provide a credible idea rather than commenting about the organization!
Back to top
View user's profile Send private message
enrico-sorichetti

Global Moderator


Joined: 14 Mar 2007
Posts: 10203
Location: italy

PostPosted: Fri Jun 13, 2014 12:21 pm    Post subject: Reply to: Specific authorization for a REXX program
Reply with quote

Quote:

Only because we don't know how it could be done its posted here?
it would be USEFUL to provide a credible idea rather than commenting about the organization!

useless comment

when setting a requirement and proposing a solution proper diligence suggests that
a check should be made for the presence of proper competences
icon_evil.gif

anyway what would be wrong in knowing the damn dataset name
and protecting it with the proper RACF/... profile
Back to top
View user's profile Send private message
enrico-sorichetti

Global Moderator


Joined: 14 Mar 2007
Posts: 10203
Location: italy

PostPosted: Fri Jun 13, 2014 12:34 pm    Post subject: Reply to: Specific authorization for a REXX program
Reply with quote

follow on...
if the data is so sensitive , it would be better redesign the application storing data in a DB2 table

and to process/collect the data ...
start an EDIF session(*) with the lines retrieved from the db2 table
and at the end update the db2 table with the changed lines/rows

(*)
Quote:
2.8 EDIF--Edit interface


The Edit Interface (EDIF) service provides edit functions for data accessed through dialog-supplied I/O routines. The invoking dialog must perform all environment-dependent functions such as file allocation, opening, reading, writing, closing, and freeing. The dialog is also responsible for any Enqueue/Dequeue serialization that is required. With the dialog providing the I/O routines, EDIF allows you to:

Edit data other than partitioned data sets or sequential files such as subsystem data, and in-storage data.
Do preprocessing and post-processing of the data being edited.
Back to top
View user's profile Send private message
Pedro

Senior Member


Joined: 01 Sep 2006
Posts: 2019
Location: Silicon Valley

PostPosted: Fri Jun 13, 2014 6:43 pm    Post subject: Reply to: Specific authorization for a REXX program
Reply with quote

The simplest solution is a program that copies it from the 'hidden' data set to another data set (and to copy it back later). It still needs to be APF authorized in order to use the RACF program access protection.

Quote:
The data sets that I'm trying to edit are unstructured

You need to impose some kind of structure.

The reason for not allowing direct updating of the data set is so that the user does not introduce errors. It is not as simple as allowing the user to edit a clone of the data set. You need to verify that it does not have errors before copying back to the master data set. And in order to verify the data, it has to be in a predictable format.
Back to top
View user's profile Send private message
Pedro

Senior Member


Joined: 01 Sep 2006
Posts: 2019
Location: Silicon Valley

PostPosted: Fri Jun 13, 2014 9:13 pm    Post subject: Reply to: Specific authorization for a REXX program
Reply with quote

Thinking outside of the box...

If you write your own program, you may also want to serialize access, add logging and keep track of who made changes. Perhaps it is a better solution to use commercial software.

1. use existing Library Management system to control check-out and 'promotes' of changes to the file.

2. use Apache web server and define this as a wiki page. You would have various generations of the file and be able to compare any generation with any other. And you would know who changed what, when.
Back to top
View user's profile Send private message
View previous topic :: :: View next topic  
Post new topic   Reply to topic    IBMMAINFRAMES.com Support Forums -> CLIST & REXX All times are GMT + 6 Hours
Page 1 of 1

 

Search our Forum:

Similar Topics
Topic Author Forum Replies Posted
No new posts I can not compile my program PL1 V3.R... Miguel Fernandez PL/I & Assembler 13 Tue Dec 06, 2016 8:30 pm
No new posts IMS BMP program causes 878 system abend Artemk IMS DB/DC 7 Tue Nov 22, 2016 8:26 pm
No new posts What is the command to check MODE of ... rohanthengal CLIST & REXX 6 Fri Nov 18, 2016 1:48 pm
This topic is locked: you cannot edit posts or make replies. Rexx to create GDG by scanning JJ result krish.deepu CLIST & REXX 5 Tue Oct 25, 2016 5:32 pm
No new posts Replace repeated JCL with looping REXX prino CLIST & REXX 3 Thu Oct 13, 2016 5:30 am


Facebook
Back to Top
 
Mainframe Wiki | Forum Rules | Bookmarks | Subscriptions | FAQ | Tutorials | Contact Us