My experience with RACF echoes Bob Bridges, as does the excellent code
sample from David Spiegel. A single call directly to RACF returns a
yes/no for the level of access queried in that call.
Ages ago I worked in an ASM2 shop. As I recall, ASM2 allowed a single
call to determine the highest level of access allowed. In any case,
it's a shame that RACF requires multiple calls. David's code appears
to do that but masks it for the user.
.
.
J.O.Skip Robinson
Southern California Edison Company
Electric Dragon Team Paddler
SHARE MVS Program Co-Manager
323-715-0595 Mobile
626-543-6132 Office ⇐=== NEW
robin...@sce.com
-----Original Message-----
From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> On
Behalf Of Mike Hochee
Sent: Wednesday, July 8, 2020 9:07 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: (External):Re: ISPF 3.4 DSLIST questions
CAUTION EXTERNAL EMAIL
Hi Bob,
If was unfamiliar with assembler, I would not start by attempting to
use RACROUTE macros, as the combination of the two is a lot to chew on
IMO.
RACSEQ is a TSO command/utility for RACF written by Bruce wells of IBM
some years ago. Documentation and assembler source are available
here...
https://eur06.safelinks.protection.outlook.com/?url=ftp%3A%2F%2Fftp.www.ibm.com%2Fs390%2Fzos%2Fracf%2Fracseq%2FracseqReadMe.pdf&data=02%7C01%7C%7Cc1ba10f375ae4291954408d823bf7269%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637298652463812056&sdata=eEwr70f%2BfqMkQRw60AnpPPIXMcSfXd0BZUtBrqf0a8s%3D&reserved=0
It is certainly callable from Rexx and is something you can customize
if desired. Rather than RACROUTE, the program makes use of the RACF
R_admin callable service. RACF callable service functionality may map
more closely to the kind of permission/resource related questions you
posed. The RACF callable services are documented here...
https://eur06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww-01.ibm.com%2Fservers%2Fresourcelink%2Fsvc00100.nsf%2Fpages%2FzOSV2R3sa232293%2F%24file%2Fichd100_v2r3.pdf&data=02%7C01%7C%7Cc1ba10f375ae4291954408d823bf7269%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637298652463812056&sdata=Pr3%2Ba4ktBbxfWgtzqsaVCF%2BvXMSMovGYt42sT1KOKCk%3D&reserved=0
HTH,
Mike
-----Original Message-----
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU]
On Behalf Of Bob Bridges
Sent: Wednesday, July 8, 2020 7:04 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: ISPF 3.4 DSLIST questions
Caution! This message was sent from outside your organization.
I've been doing mainframe security for a few decades now, but I've
never learned IBM's version of assembler (I still have ambitions of
doing that eventually) so I may be mistaken about how RACROUTE works.
But my impression is that the question the OS asks the security system
might look like this: "About resource HLQ.XYZ in class DATASET, does
ABC have UPDATE access to it?" In other words, the question specifies
the class, the resource name, the user's ID and the level of access
(READ or whatever), and the answer is a simple Yes or No (or in rare
cases "I can't tell").
Am I mistaken in that? If not, then how do you learn what access ABC
has to HLQ.XYZ without asking once for READ, once for UPDATE and so on?
---
Bob Bridges, robhbrid...@gmail.com, cell 336 382-7313
/* People don't really want to go back to a time when the world was
simpler. They want to go back to a time when they didn't understand
how complicated the world has always been. */
-----Original Message-----
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU]
On Behalf Of David Spiegel
Sent: Tuesday, July 7, 2020 18:15
"... But if you want to know all the kinds of access you have, you'd
need to ask the question three or four times, for read, update,
execute and create. ..."
This statement is not true.
I published an Assembler program and a Rexx Exec here on June 14.
My program has been placed on CBT File 836 (for now, it's in the
Update section of the website).
--- On 2020-07-07 17:45, Bob Bridges wrote:
Nothing useful to say about your first question, but about the
second: I can think of two ways to pull your access information for
a list of datasets.
1) Query the system about which security app is running (RACF, ACF2
or TSS), then issue the commands and parse the output. Display only
the brief results, eg "RW" for "read/write". I have a REXX that can
tell you which security app is running, if you're interested.
That involves a lot of coding. It might be simpler (if you can find
a way to do it) to 2) do a RACROUTE query, since that sends the
question to existing security system and returns simply 0 (access
allowed), 8 (not allowed) or very rarely 4 (can't tell). But if you
want to know all the kinds of access you have, you'd need to ask the
question three or four times, for read, update, execute and create.
And for both methods you'd have to do the query for every dataset in
the list. If you do long lists and/or do this often, it puts a
burden on the system that might get you talked about (and to) by the
operations folks. Probably not a good idea.
-----Original Message-----
From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> On
Behalf Of Tim Hare
Sent: Tuesday, July 7, 2020 1:08 PM
I have some questions about the ISPF 3.4 utility.
1. Why does 'Referred' show on the "total" display for datasets, but
if you print the dataset list, you don't get it?
2. Are there ways to extend what is displayed? For one example: I
would like to have column for 'Your Access' that would show me what
RACF says my access is, rather than having to do LD DA(/) ALL GEN on
a line, and "suffer" through the TSO command output (as I've rarely
worked with ACF2 and never with Top Secret I don't know if such a
request can be done for 'generic security system')
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN