On Fri, 22 Feb 2008 13:09:26 -0600, David Eisenberg <[EMAIL PROTECTED]> wrote:
>I'm just getting familiar with the RACROUTE macro. I have a working example >of the macro with REQUEST=AUTH that generates a violation when >appropriate. > >My question is: is there a way to interrogate RACF (presumably via the >RACROUTE macro) to simply *ask* whether or not a particular user has read >or write access to a dataset, but without actually issuing a violation if the >user is unauthorized? All I want to do is get a yea or nay answer (via R15, I >assume), then proceed accordingly and programmatically. > Running APF-authorized you could specify LOG=NONE. However, in most cases I recommend simply letting the system make the appropriate checks and, if necessary, trapping any ABENDs that result. Otherwise there are a lot of odd conditions you may need to deal with, and that can cause you to get the wrong answer and act incorrectly. You might think that the user will have access, and then the request might fail anyway. Or you might think the user does not have access, and refuse the action, when it would have worked if you had actually tried it. Of course, without knowing more about what your program does I can't say for that you'll have those problems. Still, I generally recommend just letting the system make the decisions. -- Walt Farrell, CISSP IBM STSM, z/OS Security Design ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
