Possible to EXEC REXX as another user without batch job?

Chris Amidon · Posted: Tue May 05, 2015 9:07 pm

Hi, I have a feeling I already know the answer to this question, as I've done some pretty intense Googling on this, but I'm hoping one of you guys are smarter than I am or at least have better Google-fu than I, and have done this before.

I have a need (desire?) to EXEC a REXX from within another REXX as another user. Ideally, I can do this without having to submit a batch job (this is how I'm doing it now, but it is a bit messy for my taste). I'd love to be able to execute a compiled REXX as another user and get back a result without having to do it through a batch job.

I'm currently accomplishing this task by building commands that I'm feeding in to a dataset which is then being used in the SYSIN dataset for a job that I'm submitting with a USER= and PASSWORD= statement on the jobcard. If I could just execute a REXX function as another user, that would be a bit easier to work with.

Mickeydusaor · Posted: Tue May 05, 2015 9:39 pm

Why not build all the required DD and DSN in the Your REXX and the just invoke the program from your REXX instead of build and submitting a batch
job. you then can plug anything you want into the job card, the userid and so on before invoking the program.

Chris Amidon · Posted: Tue May 05, 2015 11:41 pm

I guess that is very valuable information! I have another process running that resets the password periodically and stores it in an encrypted file. When I build my JCL, I'm actually running another process to fetch the encrypted password and plugging it into the JCL.

I know someone could get the password if they were smart enough to run the REXX through a debugger, but we are calling it "good enough" for this particular process as long as we have another process that automatically resets the password every so often (think like 5 minutes).

enrico-sorichetti · Posted: Wed May 06, 2015 12:21 am

why not use the surrogate id ???
i.e the authority to submit a job on behalf of another user.

Chris Amidon · Posted: Wed May 06, 2015 12:35 am

Granting surrogate authority would give these users more access than I actually want them to have. I'm hiding the process to build the jobcard in a compiled REXX and then using RACF to protect execution of the exec.

I realize this is suboptimal, and I seriously wouldn't do it if there were a better way.

Pedro · Posted: Wed May 06, 2015 2:15 am

Chris Amidon · Posted: Wed May 06, 2015 2:22 am

Well, the program is going to be removing a users access to a specific RACF profile. I need the helpdesk to be able to execute this function. I don't know of a way to allow this user to perform this action without granting helpdesk users RACF SPECIAL authority. The catch is that I don't want to do anything that would de-facto make these users RACF SPECIAL like granting surrogate authority would. I ONLY want them to be able to remove a users authority to this one specific profile.

Perhaps what you are saying is what I actually need. Presumably I could compile a REXX program and give it access to remove access to the profile in question.

Pedro · Posted: Wed May 06, 2015 6:33 am

Consider granting the help desk personnel CONTROL authority to only that data set profile: