|
View previous topic :: View next topic
|
| Author |
Message |
girishbs13
New User
Joined: 11 Nov 2011
Posts: 24
Location: India
|
|
|
|
Hi All,
We are in the process of developing an in house Rexx utility.
Our requirement is such that users should be provided privileges to edit specific data sets when they run the Rexx utility, but they should not be allowed to edit the data set using ISPF 3.4 option.
Will anyone be able to guide me on how this could be achieved?
I had already checked with my security admin team they say that authorization levels are specific to user groups.
Thanks,
Sabari Girish |
|
| Back to top |
|
 |
enrico-sorichetti
Superior Member
Joined: 14 Mar 2007
Posts: 10873
Location: italy
|
|
| Back to top |
|
|
Pedro
Global Moderator
Joined: 01 Sep 2006
Posts: 2547
Location: Silicon Valley
|
|
|
|
The quirk here is that it is not your program that will update the data set. It is the ISPF editor.
Instead of the actual editor, you can read the data set, save the records into control blocks, then call the EDIF service, with your EDIF exits being able to extract from your control blocks before editing and being able to put them back after editing. |
|
| Back to top |
|
|
enrico-sorichetti
Superior Member
Joined: 14 Mar 2007
Posts: 10873
Location: italy
|
|
|
|
in this case it is the EDIT concept that is murky
if using ISPF edit then it will make no difference if the EDIT is invoked directly fro ISPF
or a user prolog
if the updates are critical then EDIT is not the best tool
there are too many ways of clobbering a dataset
 |
|
| Back to top |
|
|
Pedro
Global Moderator
Joined: 01 Sep 2006
Posts: 2547
Location: Silicon Valley
|
|
|
|
| Quote: |
| if the updates are critical then EDIT is not the best tool |
The poster did not explain the actual data set. If the records have a specific format, for example a timestamp in columns 10-30, then would be better to present the records in an ISPF table where the user can select a row to 'edit'. You would parse the record and present each field individually in a data entry panel to the user. In this way, you can control and verify each field of the record. When the user is done changing the fields, recompose the record and save it back to the table. When done with the table, save it back to a data set. |
|
| Back to top |
|
|
Pedro
Global Moderator
Joined: 01 Sep 2006
Posts: 2547
Location: Silicon Valley
|
|
|
|
Getting back to authorizations...
I do not have direct experience, but my recollection was that in order to use the RACF program control capability, the program needed be APF authorized. This complicates your scenario because programs that use ISPF services cannot be APF authorized. You need two programs: 1) for data access, and 2) for ISPF stuff. |
|
| Back to top |
|
|
girishbs13
New User
Joined: 11 Nov 2011
Posts: 24
Location: India
|
|
|
|
Enrico,Pedro,
Many thanks for the suggestions. The data sets that I'm trying to edit are unstructured, so don't think I will be able to use an ISPF table.
I think I'm better off copying the data to an Userid.* data set during edit and then copying the data back to the original data set. In this was the user will never know the actual PDS name where the data resides.
Any other way of doing this ?
Thanks,
Sabari Girish |
|
| Back to top |
|
|
enrico-sorichetti
Superior Member
Joined: 14 Mar 2007
Posts: 10873
Location: italy
|
|
|
|
| Quote: |
| ]I think I'm better off copying the data to an Userid.* data set during edit and then copying the data back to the original data set. In this was the user will never know the actual PDS name where the data resides. |
pretty useless complication ...
anybody looking at the TSO log ( using SDSF ) will find the dataset name in the allocation messages
looks like nobody in this organization has the slightest idea about proper data security ...
security by hiding things... somebody could not find a stupidest idea |
|
| Back to top |
|
|
girishbs13
New User
Joined: 11 Nov 2011
Posts: 24
Location: India
|
|
|
|
Only because we don't know how it could be done its posted here?
It would be USEFUL to provide a credible idea rather than commenting about the organization! |
|
| Back to top |
|
|
enrico-sorichetti
Superior Member
Joined: 14 Mar 2007
Posts: 10873
Location: italy
|
|
|
|
| Quote: |
Only because we don't know how it could be done its posted here?
it would be USEFUL to provide a credible idea rather than commenting about the organization! |
useless comment
when setting a requirement and proposing a solution proper diligence suggests that
a check should be made for the presence of proper competences
anyway what would be wrong in knowing the damn dataset name
and protecting it with the proper RACF/... profile |
|
| Back to top |
|
|
enrico-sorichetti
Superior Member
Joined: 14 Mar 2007
Posts: 10873
Location: italy
|
|
|
|
follow on...
if the data is so sensitive , it would be better redesign the application storing data in a DB2 table
and to process/collect the data ...
start an EDIF session(*) with the lines retrieved from the db2 table
and at the end update the db2 table with the changed lines/rows
(*)
| Quote: |
2.8 EDIF--Edit interface
The Edit Interface (EDIF) service provides edit functions for data accessed through dialog-supplied I/O routines. The invoking dialog must perform all environment-dependent functions such as file allocation, opening, reading, writing, closing, and freeing. The dialog is also responsible for any Enqueue/Dequeue serialization that is required. With the dialog providing the I/O routines, EDIF allows you to:
Edit data other than partitioned data sets or sequential files such as subsystem data, and in-storage data.
Do preprocessing and post-processing of the data being edited. |
|
|
| Back to top |
|
|
Pedro
Global Moderator
Joined: 01 Sep 2006
Posts: 2547
Location: Silicon Valley
|
|
|
|
The simplest solution is a program that copies it from the 'hidden' data set to another data set (and to copy it back later). It still needs to be APF authorized in order to use the RACF program access protection.
| Quote: |
| The data sets that I'm trying to edit are unstructured |
You need to impose some kind of structure.
The reason for not allowing direct updating of the data set is so that the user does not introduce errors. It is not as simple as allowing the user to edit a clone of the data set. You need to verify that it does not have errors before copying back to the master data set. And in order to verify the data, it has to be in a predictable format. |
|
| Back to top |
|
|
Pedro
Global Moderator
Joined: 01 Sep 2006
Posts: 2547
Location: Silicon Valley
|
|
|
|
Thinking outside of the box...
If you write your own program, you may also want to serialize access, add logging and keep track of who made changes. Perhaps it is a better solution to use commercial software.
1. use existing Library Management system to control check-out and 'promotes' of changes to the file.
2. use Apache web server and define this as a wiki page. You would have various generations of the file and be able to compare any generation with any other. And you would know who changed what, when. |
|
| Back to top |
|
|
|
|
