On Wed, 13 May 2009 09:24:30 -0500, Joe Owens <[email protected]> wrote:
> >I take your point about not knowing which grouping profile supplied the match, >I would settle for the (generic) name that matched, whether it came from the >name of a resource in the primary or a member the grouping class. > You can get that, but you would need to either: (a) use RACROUTE REQUEST=AUTH, from an APF-authorized program, specifying ENTITY or ENTITYX=(resource-name-address,PRIVATE). RACF will return a profile (still possibly one that's merged) but the name will be the member name (possibly generic) that matched. You'll need to be in key 0 to examine the returned data, and to FREEMAIN it. (b) RACROUTE REQUEST=EXTRACT,BRANCH=YES, with MATCHGN=YES should also return the matching member name. Note that for either of these to work you do need to have the class RACLISTed, and while SETROPTS RACLIST might work for the AUTH case, I think it's best to have your application issue RACROUTE REQUEST=LIST, probably with GLOBAL=YES and ENVIR=CREATE. And then when it's done, RACROUTE REQUEST=LIST with ENVIR=DELETE. If your summary of historical access were based on RACF SMF records, of course, you'd know the proper member name already from those records, and wouldn't need to be trying to figure it out. -- Walt Farrell, CISSP IBM STSM, z/OS Security Design ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
