When the security server checks for authorization, the following is used: 1 - The ACEE passed in the parmlist. 2 - If above is zero, the ACEE pointed to in TCBSENV 3 - If above is zero, the ACEE pointed to in ASXBSENV
As Walt mentioned, ACEE's are not propagated (in retrospect, might not have been the best choice, but its way to late in the game to change). Since you have to APF authorized to issue the RACROUTE REQUEST=VERIFY to create the ACEE, getting into KEY 0 to modify the TCB isn't a huge requirement. However, if "all" the task is doing is going to run with the identity other than that of the server address space, instead of doing the attach with DISP=NO, then doing the RACROUTE call and updating the NEW TCB, then releasing the TCB via STATUS, I would suggest (as have others) that you ATTACH the subtask with DISP=YES, then in the SUBTASK code issue RACROUTE REQUEST=VERIFY. If you do not specify ACEE=, the system will update TCBSENV for you if the new ACEE has a separate set of security credentials from the address space. Hope this helps Wayne Driscoll Product Architect JME Software -----Original Message----- From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of Richard Tsujimoto Sent: Friday, March 10, 2006 8:25 AM To: [email protected] Subject: Re: How to start a subtask under another user >Walt wrote: >The system does not provide propagation of the ACEE to subtasks during >ATTACH except for servers using WLM message queueing to process work >requests. >You will have to provide that propagation yourself, or ensure that your >code avoids multiple levels of subtasking. I'm no security expert, but the impression I get from other products that do security checking on behalf of other users, is that, as someone earlier posted, a RACROUTE is performed using the subject's userid. It seems inappropriate to have to muck with the TCB. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
