> -----Original Message-----
> From: IBM Mainframe Discussion List On Behalf Of Walt Farrell
>
> On 2/1/2006 4:39 PM, Chase, John wrote:
> > Is there a "reliable" way, from within (specifically) the RACF
> > IRREVX01 command exit, to determine whether a particular command of
> > interest was entered by a TSO user at a terminal or "submitted" from a
> > program via the terminal services facility IKJEFTSR? The "submitter"
> > program in this case would be a program running in a TSO user's session.
> >
> > The intended effect of this is to reject certain CONNECT commands to
> > certain "firecall" groups except via the specific "submitter" program.
>
> That sounds very tricky. The CONNECT command would be
> running in the an authorized subtask tree within TSO, and the
> original "submitter" program would be running in another part
> of the subtask tree, with no obvious connection between them
> that I know of. You could probably walk up the TCB tree
> until you hit IKJEFT02's parent, then walk down some sibling
> TCB chain until you reach the end, and then check the PRB and
> CDE to see if you hit your submitter program.
>
> However, even if you find that data, there's no information
> that I know of that would allow you determine that it is the
> copy of the program you expected, rather than some other
> program with the same name, from some other library.
> Possibly checking for a clean program control environment
> would help, but that's not a documented programming interface.
>
> I might suggest a different approach, with an APF-authorized
> submitter program that invokes R_admin to do the CONNECT
> command. This lets the submitter specify the user ID under
> which to run the command, and your exit could simply check
> the ID the command is running under.,
Thanks for the suggestions. I've since learned that the "objection" raised
by our auditors is that some CONNECTs to these "firecall" groups did not
specify the REVOKE keyword with "today's" date (i.e., a RACF admin issued
the CONNECT) as required by our internal controls. Thus it seems that
simply adding an appropriate REVOKE via the IRREVX01 exit would resolve the
auditors' objection.
Thanks again,
-jc-
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
