Walt, The user need access to query racf with IRRXUTIL as well. I think the best way is a racroute 3rd party check, and a the rexx ned to be compiled to hide the code.
ITschak *| **Itschak Mugzach | Director | SecuriTeam Software **|** IronSphere Platform* *|* *Information Security Continuous Monitoring for Z/OS, zLinux and IBM I **| * *|* *Email**: i_mugz...@securiteam.co.il **|* *Mob**: +972 522 986404 **|* *Skype**: ItschakMugzach **|* *Web**: www.Securiteam.co.il **|* On Thu, Aug 6, 2020 at 10:29 PM Walt Farrell <walt.farr...@gmail.com> wrote: > On Mon, 3 Aug 2020 04:16:38 +0000, Gadi Ben-Avi <gad...@malam.com> wrote: > > >But that would mean checking if the user has access, or if the user has > access through any of the groups it is connected to. > > If I remember correctly, if the user can see anything from the profile > that protects the resource then he has at least READ access somehow. So > that should provide your answer. So running IRRXUTIL and querying the > profile that protects the resource should provide the answer you need. > > However, I'd be careful doing this. First, of course, you have the Time Of > Check To Time Of Use problem, and after you make your check the user may > lose access. > > Next, you need to worry about where the REXX exec runs. If it runs in the > user's address space then there are ways the user might bypass your check. > > Finally, if your REXX exec is going to do something that will also perform > a security check, then it's generally better to just attempt the operation > and let the real enforcement happen. If you try to make a check yourself > you may get false positives or false negatives, depending on TOCTTOU and/or > how the security administrators decided to setup the profile and access > lists. > > -- > Walt > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
