On 8/13/2007 10:51 AM, McKown, John wrote:
However, the use of the TERMINAL class is dependant on the
__application__ to do the RACROUTE to verify access. RACF does not
enforce access. It simply answers the question: "Can user % access
resource % with the % access level?". If the code doesn't ask the
question (via RACROUTE), then RACF cannot do anything. Or if the code
asks the question, then doesn't pay attention to the answer, RACF cannot
enforce anything.
Not quite correct, John. TERMINAL access checking does not happen via
RACROUTE REQUEST=AUTH, where the application must both ask the question
and enforce the answer.
TERMINAL access checking happens by specifying the terminal name on
RACROUTE REQUEST=VERIFY during the user authentication process. RACF
does the checking, and if the user does not have access the entire
authentication process fails.
Thus, while the application must at least supply the terminal name, it
does not need to do any additional RACROUTE calls and can not ignore the
answer.
--
Walt Farrell, CISSP
IBM STSM, z/OS Security Design
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
