On Wed, Jul 8, 2020 at 6:04 PM Bob Bridges <robhbrid...@gmail.com> wrote:
> I've been doing mainframe security for a few decades now, but I've never > learned IBM's version of assembler (I still have ambitions of doing that > eventually) so I may be mistaken about how RACROUTE works. But my > impression is that the question the OS asks the security system might look > like this: "About resource HLQ.XYZ in class DATASET, does ABC have > UPDATE access to it?" In other words, the question specifies the class, > the resource name, the user's ID and the level of access (READ or > whatever), and the answer is a simple Yes or No (or in rare cases "I can't > tell"). > > Am I mistaken in that? If not, then how do you learn what access ABC has > to HLQ.XYZ without asking once for READ, once for UPDATE and so on? > That's close. But the access is "hierarchical" ALTER access implies CONTROL access implies UPDATE access implies READ access. So if you want to know a person's access, you'd start at the most powerful and go downward. https://www.ibm.com/support/knowledgecenter/SSLTBW_2.1.0/com.ibm.zos.v2r1.ichc600/rrauthstd.htm ,ATTR=READ,ATTR=UPDATE,ATTR=CONTROL,ATTR=ALTER,ATTR=regspecifies the level of authority requested. RACF checks the resource profile protecting the resource identified by the ENTITY and CLASS keywords. The values have the following hierarchical order: - *READ* - *UPDATE* - *CONTROL* - *ALTER* That is, if a user has update authority and ATTR=READ is specified, RACF returns a return code of 0. If ATTR=CONTROL, RACF returns a return code of 8. *For multilevel secure environments*: 1. When ATTR=READ or ALTER, it will be treated as though it was a read-only request for purposes of mandatory access control (MAC) checking. 2. When ATTR=UPDATE or CONTROL, it will be treated as though it was a read-write request for purposes of mandatory access control (MAC) checking. If a register is specified, the register must contain one of the following codes in the low-order byte of the register:X'02'READX'04'UPDATEX'08'CONTROL X'80'ALTER The default is ATTR=READ. > > --- > Bob Bridges, robhbrid...@gmail.com, cell 336 382-7313 > > -- People in sleeping bags are the soft tacos of the bear world. Maranatha! <>< John McKown ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
