View previous topic :: View next topic
|
Author |
Message |
Chris Amidon
New User
Joined: 21 Apr 2015 Posts: 5 Location: United States
|
|
|
|
Hi, I have a feeling I already know the answer to this question, as I've done some pretty intense Googling on this, but I'm hoping one of you guys are smarter than I am or at least have better Google-fu than I, and have done this before.
I have a need (desire?) to EXEC a REXX from within another REXX as another user. Ideally, I can do this without having to submit a batch job (this is how I'm doing it now, but it is a bit messy for my taste). I'd love to be able to execute a compiled REXX as another user and get back a result without having to do it through a batch job.
I'm currently accomplishing this task by building commands that I'm feeding in to a dataset which is then being used in the SYSIN dataset for a job that I'm submitting with a USER= and PASSWORD= statement on the jobcard. If I could just execute a REXX function as another user, that would be a bit easier to work with. |
|
Back to top |
|
|
Mickeydusaor
Active User
Joined: 24 May 2006 Posts: 258 Location: Salem, Oregon
|
|
|
|
Why not build all the required DD and DSN in the Your REXX and the just invoke the program from your REXX instead of build and submitting a batch
job. you then can plug anything you want into the job card, the userid and so on before invoking the program. |
|
Back to top |
|
|
Chris Amidon
New User
Joined: 21 Apr 2015 Posts: 5 Location: United States
|
|
|
|
I guess that is very valuable information! I have another process running that resets the password periodically and stores it in an encrypted file. When I build my JCL, I'm actually running another process to fetch the encrypted password and plugging it into the JCL.
I know someone could get the password if they were smart enough to run the REXX through a debugger, but we are calling it "good enough" for this particular process as long as we have another process that automatically resets the password every so often (think like 5 minutes). |
|
Back to top |
|
|
enrico-sorichetti
Superior Member
Joined: 14 Mar 2007 Posts: 10873 Location: italy
|
|
|
|
why not use the surrogate id ???
i.e the authority to submit a job on behalf of another user. |
|
Back to top |
|
|
Chris Amidon
New User
Joined: 21 Apr 2015 Posts: 5 Location: United States
|
|
|
|
Granting surrogate authority would give these users more access than I actually want them to have. I'm hiding the process to build the jobcard in a compiled REXX and then using RACF to protect execution of the exec.
I realize this is suboptimal, and I seriously wouldn't do it if there were a better way. |
|
Back to top |
|
|
Pedro
Global Moderator
Joined: 01 Sep 2006 Posts: 2547 Location: Silicon Valley
|
|
|
|
Quote: |
If I could just execute a REXX function as another user |
It is not clear what you cannot do from your own userid that the other userid will be able to do. You should be able to grant the same permissions as the other user so that either user can invoke the rexx program.
Your process is not entirely clear to me... perhaps what you want is for the program to be the one that is authorized, rather than granting permission to numerous users. You would want a compiled program rather than a rexx program. |
|
Back to top |
|
|
Chris Amidon
New User
Joined: 21 Apr 2015 Posts: 5 Location: United States
|
|
|
|
Well, the program is going to be removing a users access to a specific RACF profile. I need the helpdesk to be able to execute this function. I don't know of a way to allow this user to perform this action without granting helpdesk users RACF SPECIAL authority. The catch is that I don't want to do anything that would de-facto make these users RACF SPECIAL like granting surrogate authority would. I ONLY want them to be able to remove a users authority to this one specific profile.
Perhaps what you are saying is what I actually need. Presumably I could compile a REXX program and give it access to remove access to the profile in question. |
|
Back to top |
|
|
Pedro
Global Moderator
Joined: 01 Sep 2006 Posts: 2547 Location: Silicon Valley
|
|
|
|
Consider granting the help desk personnel CONTROL authority to only that data set profile:
Code: |
ADDGROUP HELPDESK
CONNECT HELP01 GROUP(HELPDESK) AUTHORITY(USE)
CONNECT HELP02 GROUP(HELPDESK) AUTHORITY(USE)
PERMIT my.restrict.dsn ID(HELPDESK) ACCESS(CONTROL) |
I think the help desk personnel will be able to issue PERMIT commands for your data set. They will be able to grant or delete authority.
Another approach is to use the ICHCCX00 command exit. Your exit can determine the userid and the parameters specified on the command, then it can allow the command to proceed or not. This is not for the faint of heart. |
|
Back to top |
|
|
|