On Thu, 21 Apr 2011 15:27:48 -0500, Patrick Roehl <[email protected]> wrote:
>The RACF functions are used to determine if a 3rd party is allowed to access a >specific resource. > >RACROUTE REQUEST=VERIFY,ENVIR=CREATE >RACROUTE REQUEST=AUTH >RACROUTE REQUEST=VERIFY,ENVIR=DELETE > >The process is run as a started task and functions as a server from TCP/IP >clients. Database access is also performed, and thatÂ’s the source of several >of the other STEPLIBs. UNIX-based servers on z/OS do not need to run APF-authorized in order to authenticate clients or perform access checking. So your simplest approach, I think, would be to make use of the C/C++ functions that do user authentication and authorization checking, or the z/OS UNIX Assembler Callable Services that the C/C++ functions call. I would also recommend using subtasks (or pthreads) as that will make security management simpler. Your program could, for example, use pthread_security_np() to create a security environment for a client user, and then __check_resource_auth_np() to check the user's authority. You'll find both of those in the C/C++ Runtime Library Reference. Or for an assembler program, pthread_security_np and auth_check_resource_np, which you'll find in z/OS UNIX System Services Programming: Assembler Callable Services Reference. Note that your client users will need UNIX identity info (UID, plus GID(s) for their group(s)) but that should not be an impediment as administrators have easy ways to set that up. -- Walt Farrell IBM STSM, z/OS Security Design ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
