On Mon, 3 Aug 2020 04:16:38 +0000, Gadi Ben-Avi <gad...@malam.com> wrote:
>But that would mean checking if the user has access, or if the user has access >through any of the groups it is connected to. If I remember correctly, if the user can see anything from the profile that protects the resource then he has at least READ access somehow. So that should provide your answer. So running IRRXUTIL and querying the profile that protects the resource should provide the answer you need. However, I'd be careful doing this. First, of course, you have the Time Of Check To Time Of Use problem, and after you make your check the user may lose access. Next, you need to worry about where the REXX exec runs. If it runs in the user's address space then there are ways the user might bypass your check. Finally, if your REXX exec is going to do something that will also perform a security check, then it's generally better to just attempt the operation and let the real enforcement happen. If you try to make a check yourself you may get false positives or false negatives, depending on TOCTTOU and/or how the security administrators decided to setup the profile and access lists. -- Walt ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
