Hi Bob,
Here is my RACROUTE program from CBT File 836:
RACROUTE TITLE 'RACROUTE STATUS=ACCESS'
* - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - *
*
* Author: David Spiegel
*
* Update: Sam Golob - June 17, 2020
* Return words instead of only the reason code.
*
* - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - *
*
* This program is meant to be used with the following REXX:
*
* /* rexx */
* Arg dsn
* Address TSO "Call *(Racrout) '"dsn"'"
*
* - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - *
RACROUTE CSECT ,
RACROUTE AMODE 31
RACROUTE RMODE ANY
SAVE (14,12),,RACROUTE.&SYSDATE..&SYSTIME Save caller's regs.
LR R12,R15 Load address of entry point
USING RACROUTE,R12 Give assembler program's base reg.
*
LR R11,R1 Save Pointer to Parameter Address Blk
USING ARGS,R11
*
GETMAIN R,LV=SAVESIZE,LOC=BELOW
XC 0(CLEARSIZ,R1),0(R1) Clear the save/work area
ST R1,8(,R13) Save new save area addr.in old area
ST R13,4(,R1) Save old save area addr.in new area
LR R13,R1 Replace old save area with new one
USING SAVEAREA,R13 Tell assembler about save area
*
*
*
L R11,0(,R11)
LH R5,0(,R11)
C R5,=F'0' PARM?
BE RETURN No, RETURN
*
BCTR R5,0
EX R5,MVC
B CONTINUE
*
MVC MVC THEENT(*-*),2(R11)
*
*
*
CONTINUE DS 0F
RACROUTE REQUEST=AUTH, x
RELEASE=1.9, x
STATUS=ACCESS, x
CLASS='DATASET', x
ATTR=UPDATE, x
ENTITY=THEENT,VOLSER=THEVOL, x
WORKA=SAFWORKA
LM R3,R4,CONTINUE+4 Save Return Code, Reason Code
ST R4,SAVER4A
*
*
*
RETURN DS 0H
* WTO 'RACROUTE About to Exit'
L R4,SAVER4A
B *+4(R4)
B NONE
B READ
B UPDATE
B CONTROL
B ALTER
B OUTFREE
B OUTFREE
OUTFREE DS 0H
LR R1,R13 Save old save area addr. for FREEMAIN
L R13,4(,R13) Restore old save area address
FREEMAIN R,LV=SAVESIZE,A=(1)
EXIT DS 0H
* SLR R15,R15 Set a return code of zero
LR R15,R4 Return with Reason Code
RETURN (14,12),RC=(15) Return to caller, return code zero
*
NONE DS 0H
MVI OUTLINE-1,X'40'
MVC OUTLINE,OUTLINE-1
MVC OUTLINE,=CL17'Access is NONE '
TPUT OUTLINE,17
B OUTFREE
READ DS 0H
MVI OUTLINE-1,X'40'
MVC OUTLINE,OUTLINE-1
MVC OUTLINE,=CL8'READ'
MVC OUTLINE,=CL17'Access is READ '
TPUT OUTLINE,17
B OUTFREE
UPDATE DS 0H
MVI OUTLINE-1,X'40'
MVC OUTLINE,OUTLINE-1
MVC OUTLINE,=CL17'Access is UPDATE '
TPUT OUTLINE,17
B OUTFREE
CONTROL DS 0H
MVI OUTLINE-1,X'40'
MVC OUTLINE,OUTLINE-1
MVC OUTLINE,=CL17'Access is CONTROL'
TPUT OUTLINE,17
B OUTFREE
ALTER DS 0H
MVI OUTLINE-1,X'40'
MVC OUTLINE,OUTLINE-1
MVC OUTLINE,=CL17'Access is ALTER '
TPUT OUTLINE,17
B OUTFREE
*
*
*
DS 0D
SAFWORKA DS CL512
THEENT DC CL44' '
THEVOL DC CL6'THEVOL'
*
*
*
SAVEAREA DSECT , Register save area and work area
DS 18F Register save area
CLEARSIZ EQU *-SAVEAREA Save and work area size
DS X
OUTLINE DS CL19
SAVER4A DS F
RECORD DS 0CL16
USERID DS CL8
PASSWORD DS CL8
RECSIZE EQU *-RECORD
WTO0 WTO ' ',X
MF=L
WTO0L EQU *-WTO0
SAVESIZE EQU *-SAVEAREA Save and work area size
*
*
*
ARGS DSECT
DS 0D
LENGTH DS H
DSNAME DS CL44 Dataset Name to Check
YREGS
END
Please run my RACROUTE program by calling it with this Rexx EXEC:
/* Rexx */
/* Trace I */
/*
Return Codes from RACROUTE:
00 The user has no access.
04 The user has READ authority.
08 The user has UPDATE authority.
0C The user has CONTROL authority.
10 The user has ALTER authority
https://www.ibm.com/support/knowledgecenter/SSLTBW_2.1.0/com.ibm.zos.
v2r1.ichc600/ich2c6_Return_codes_and_reason_codes1.htm
*/
Arg dsn
Address TSO "Call *(Racroute) '"dsn"'"
Say rc
Please note that the Load Module must be in a //STEPLIB to LNKLST.
If not, you can specify the PDS where it resides:
Address TSO "Call 'USER.LOAD(Racroute)' '"dsn"'"
Regards,
David
On 2020-07-08 19:03, Bob Bridges wrote:
I've been doing mainframe security for a few decades now, but I've never learned IBM's version of
assembler (I still have ambitions of doing that eventually) so I may be mistaken about how RACROUTE
works. But my impression is that the question the OS asks the security system might look like
this: "About resource HLQ.XYZ in class DATASET, does ABC have UPDATE access to it?" In
other words, the question specifies the class, the resource name, the user's ID and the level of
access (READ or whatever), and the answer is a simple Yes or No (or in rare cases "I can't
tell").
Am I mistaken in that? If not, then how do you learn what access ABC has to
HLQ.XYZ without asking once for READ, once for UPDATE and so on?
---
Bob Bridges, [email protected], cell 336 382-7313
/* People don't really want to go back to a time when the world was simpler.
They want to go back to a time when they didn't understand how complicated the
world has always been. */
-----Original Message-----
From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf
Of David Spiegel
Sent: Tuesday, July 7, 2020 18:15
"... But if you want to know all the kinds of access you have, you'd
need to ask the question three or four times, for read, update, execute
and create. ..."
This statement is not true.
I published an Assembler program and a Rexx Exec here on June 14.
My program has been placed on CBT File 836 (for now, it's in the Update
section of the website).
--- On 2020-07-07 17:45, Bob Bridges wrote:
Nothing useful to say about your first question, but about the second: I can
think of two ways to pull your access information for a list of datasets.
1) Query the system about which security app is running (RACF, ACF2 or TSS), then issue the
commands and parse the output. Display only the brief results, eg "RW" for
"read/write". I have a REXX that can tell you which security app is running, if you're
interested.
That involves a lot of coding. It might be simpler (if you can find a way to
do it) to 2) do a RACROUTE query, since that sends the question to existing
security system and returns simply 0 (access allowed), 8 (not allowed) or very
rarely 4 (can't tell). But if you want to know all the kinds of access you
have, you'd need to ask the question three or four times, for read, update,
execute and create.
And for both methods you'd have to do the query for every dataset in the list.
If you do long lists and/or do this often, it puts a burden on the system that
might get you talked about (and to) by the operations folks. Probably not a
good idea.
-----Original Message-----
From: IBM Mainframe Discussion List <[email protected]> On Behalf Of Tim
Hare
Sent: Tuesday, July 7, 2020 1:08 PM
I have some questions about the ISPF 3.4 utility.
1. Why does 'Referred' show on the "total" display for datasets, but if you
print the dataset list, you don't get it?
2. Are there ways to extend what is displayed? For one example: I would like to have
column for 'Your Access' that would show me what RACF says my access is, rather than
having to do LD DA(/) ALL GEN on a line, and "suffer" through the TSO command
output (as I've rarely worked with ACF2 and never with Top Secret I don't know if such a
request can be done for 'generic security system')
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
.
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
