I like a lot of the features of TSS, but I agree about masking; RACF has far the better scheme. I'm guessing that when they included the period among the characters that could be masked by an asterisk, it seemed to them like a brilliant idea. But in my opinion, and as you say, it's a lot worse.
I use TSSSIM a lot, but I'm not a big fan of batch operations for such a simple and fast-running function so I wrote a REXX (named TSIM) that'll let me invoke it as a command-line function. You can spell out all the parms if you want - ==> tso tsim acid(myid) fac(tso) dataset(my.dataset.name) acc(read) - but the REXX attempts a lot of assumptions for the missing ones so ==> tso tsim myid my.dataset.name ...yields the same result. Very handy. Incidentally, my go-to Horse's Mouth for TSS at CA tells me that even TSSSIM cannot be counted on to get ~every~ possible query right; there are complications within the TSS algorithm that TSSSIM can miss. I gather, though, that they're rare enough that I don't worry about them. It's just something I keep in mind; if ever TSS doesn't do what TSIM says it should, I'll remember then to look closer. --- Bob Bridges, [email protected], cell 336 382-7313 /* The difference between British and Americans is that Americans think a hundred years is a long time, and the British think a hundred miles is a long drive. -Unknown */ -----Original Message----- From: IBM Mainframe Discussion List <[email protected]> On Behalf Of Rob Schramm Sent: Tuesday, June 14, 2022 23:12 "*" for TSS is definitely 0.1 - 8 "*" does not function like the RACF *. It crosses indexes. (unless there is a mod that changes the behavior) This is very concerning when you have short indexes and naming convention collisions. The reason for the .1 is that if you add "*" to the end of a string lets say there are 2 permits TEMP.TST and TEMP.TST* The * provides a better match even if the incoming data set for authorization is TEMP.TST. "+" is definitely one character "-" I never used this one.. so I can't comment Normally conflicting matches will choose the access level in the following order (this only occurs when certain control options are chosen) 1) none 2) all 3) lowest level i.e. if there is READ and another has UPDATE.. READ will be chosen. You are correct about the "additional items" on the PERMIT like PROGRAM, LIBRARY, ACTION, CPU etc etc... which can create a best match. Of course there are facility (tss facility not RACF facility) considerations, control options and other userID (aka ACID) issues that can affect the checking. Duplicating this is REXX.. well.. I would use TSSSIM or the data base unload which is supposed to include simulated checks. There is also a LDAP with some library(s) to perform data set checking. All I am saying is there is a lot to simulating it. And just because you have the matching left to right working, doesn't mean that you have all the stuff correct. --- On Mon, Jun 13, 2022 at 5:02 PM Bob Bridges <[email protected]> wrote: > The TSS manual (v15) says it starts by looking for, simply, the > longest resource name: > > /* Quote begins */ > To determine the longest resource name, each character in the resource > name counts as one character whether it is a normal character or a > masking character. If the floating mask “-“ is used in a PERMIT, only > count the characters prior to the mask. The following table contains > examples of how to count characters: > > For Resource Number of Characters Counted > SMITH.TEST.JCL 14, all characters are counted > JONES.*.JCL 11, all characters are counted > BROWN.-.JCL 6, only 'BROWN.' is counted > /* Quote ends */ > > In TSS, masking characters are '+', '*' and '-'. The plus sign is one > character. I've heard conflicting things about the other two; at one > time I understood that the '*' could stand for any zero to eight > characters INCLUDING A PERIOD, so that GEN*FIT would match GENFIT, > GEN.FIT, GEN.XYZ.FIT or GENXX.XYZ.XFIT. But it also says here it's > supposed to be about a single index. One of these days I've got to > test this and see what the real story is. The hyphen, it says here, > is a "floating" mask; they appear to mean it can represent any number of > characters. > > If you have multiple permissions which by the above criteria are the > same length, then it looks at other features of the permissions to > determine a match. For instance, if one of them says ACCESS(NONE), > that one controls regardless of other matters. Failing that, it looks > at (for example) FACILITY, TIME, TERMINAL and so on. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
