"*" for TSS is definitely 0.1 - 8 "*" does not function like the RACF *. It crosses indexes. (unless there is a mod that changes the behavior) This is very concerning when you have short indexes and naming convention collisions.
The reason for the .1 is that if you add "*" to the end of a string lets say there are 2 permits TEMP.TST and TEMP.TST* The * provides a better match even if the incoming data set for authorization is TEMP.TST. "+" is definitely one character "-" I never used this one.. so I can't comment Normally conflicting matches will choose the access level in the following order (this only occurs when certain control options are chosen) 1) none 2) all 3) lowest level i.e. if there is READ and another has UPDATE.. READ will be chosen. You are correct about the "additional items" on the PERMIT like PROGRAM, LIBRARY, ACTION, CPU etc etc... which can create a best match. Of course there are facility (tss facility not RACF facility) considerations, control options and other userID (aka ACID) issues that can affect the checking. Duplicating this is REXX.. well.. I would use TSSSIM or the data base unload which is supposed to include simulated checks. There is also a LDAP with some library(s) to perform data set checking. All I am saying .. is there is a lot to simulating it. And just because you have the matching left to right working, doesn't mean that you have all the stuff correct. HTH, Rob On Mon, Jun 13, 2022 at 5:02 PM Bob Bridges <[email protected]> wrote: > The TSS manual (v15) says it starts by looking for, simply, the longest > resource name: > > /* Quote begins */ > To determine the longest resource name, each character in the resource > name counts as one character whether it is a normal character or a masking > character. If the floating mask “-“ is used in a PERMIT, only count the > characters prior to the mask. The following table contains examples of how > to count characters: > > For Resource Number of Characters Counted > SMITH.TEST.JCL 14, all characters are counted > JONES.*.JCL 11, all characters are counted > BROWN.-.JCL 6, only 'BROWN.' is counted > /* Quote ends */ > > In TSS, masking characters are '+', '*' and '-'. The plus sign is one > character. I've heard conflicting things about the other two; at one time > I understood that the '*' could stand for any zero to eight characters > INCLUDING A PERIOD, so that GEN*FIT would match GENFIT, GEN.FIT, > GEN.XYZ.FIT or GENXX.XYZ.XFIT. But it also says here it's supposed to be > about a single index. One of these days I've got to test this and see what > the real story is. The hyphen, it says here, is a "floating" mask; they > appear to mean it can represent any number of characters. > > If you have multiple permissions which by the above criteria are the same > length, then it looks at other features of the permissions to determine a > match. For instance, if one of them says ACCESS(NONE), that one controls > regardless of other matters. Failing that, it looks at (for example) > FACILITY, TIME, TERMINAL and so on. > > --- > Bob Bridges, [email protected], cell 336 382-7313 > > /* By Faith we believe always what we have already seen imperfectly and by > flashes, and hope hereafter to see always and perfectly. -C S Lewis in "Is > Theism Important?", from "God in the Dock" */ > > -----Original Message----- > From: IBM Mainframe Discussion List <[email protected]> On Behalf > Of Itschak Mugzach > Sent: Monday, June 13, 2022 02:14 > > Well, let's make it the TSS rule. > > --- On Thu, Jun 9, 2022 at 3:39 PM Bob Bridges <[email protected]> > wrote: > > Yes, but matching BY WHAT RULE(S)? Which mask is the best match > > depends on what set of rules you're using - and unless I've > > misunderstood you, you seem to be saying that you have no particular set > of rules in mind. > > Therefore you cannot determine which mask is the better fit. > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO IBM-MAIN > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
