> -----Original Message-----
> From: IBM Mainframe Discussion List On Behalf Of Randy Evans
>
> >>
> >>>One could argue that letting you determine your access to
> resources
> >>>without actually trying to use them (and thus without causing audit
> >>>records) is a form of hacking.
> >>
> >>Perhaps, but some IBM code does exactly that, and for what
> seems to be
> >>good cause. I don't recall the details, but it was discussed here in
> the
> >>last few years.
> >>
> >
> >You may be thinking of ISPF 3.4 and data set name hiding or may be
> >thinking of ISPF 3.4 checking for ALTER access to the catalog.
> >
>
> Following extracted from the CICS/TS RACF Security Guide:
>
> "2.7.6.2 Checking which transactions to offer a user
> You can use the QUERY SECURITY command to check whether a
> user is authorized to use a particular transaction before
> displaying the transaction code as part of an introductory
> menu. When you use the command for this purpose, you will
> probably want to avoid logging the checks for users who are
> not allowed to use certain transactions. To do this, use the
> NOLOG option."
>
> ...and the QUERY SECURITY command invokes a RACROUTE to
> perform this function. So CICS is documenting use of
> preemptive RACROUTE requests as reasonable design in
> presenting usable options on a user's menu.
I've "heard" that CICS issues RACROUTE REQUEST=FASTAUTH "under the
covers" to do that..... CICS also issues RACROUTE
REQUEST=LIST,GLOBAL=YES during its startup for each of the
"CICS-related" classes "activated" via the DFHSIT Xyyy parms, so
RACLISTing of one sort or another may be a "pre-req" for FASTAUTH.
-jc-
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
