On Fri, 16 Apr 2010 08:43:52 -0500, Wayne Driscoll <[email protected]> wrote:
>To use the TCBSENV field, you issue a RACROUTE >REQUEST=VERIFY,ENVIRN=CREATE and specify ACEE= passing the address of a >fullword where RACF returns the ACEE. You then store that address in >TCBSENV, You also need to specify that the ACEE is created below the >line. You are also responsible for issuing the RACROUTE >REQUEST=VERIFY,ENVIRN=DELETE when the use logs off. One thing to beware >is that the TCBSENV is not propagated to subtasks, so if any services that >use ATTACH are allowed, then you will need a way to get the subtask >TCBSENV populated. >However, I have to say that I agree that the best approach is to use UNIX >services, since UNIX has been required since OS/390 1.5. People may not >"like" it, but they do need it. I think it's much better, Wayne, to simply issue the VERIFY without ACEE= and let RACF automatically anchor it in TCBSENV for you. Good point about ATTACH, by the way, but there is at least one case where it will propagate. Taking a request off of a WLM queue will get an automatic VERIFY request done, for example, and if that subtask does an ATTACH TCBSENV will propagate. I'm not sure if there are other cases of this. By the way, it's also important to do the corresponding VERIFY with ENVIR=DELETE later. -- Walt Farrell, CISSP IBM STSM, z/OS Security Design ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
