I agree with you about TSSSIM.. but at least when you detect bad
responses.. you can open an issue to get it corrected.

Rob

On Wed, Jun 15, 2022 at 11:51 AM Bob Bridges <[email protected]> wrote:

> I like a lot of the features of TSS, but I agree about masking; RACF has
> far the better scheme.  I'm guessing that when they included the period
> among the characters that could be masked by an asterisk, it seemed to them
> like a brilliant idea.  But in my opinion, and as you say, it's a lot worse.
>
> I use TSSSIM a lot, but I'm not a big fan of batch operations for such a
> simple and fast-running function so I wrote a REXX (named TSIM) that'll let
> me invoke it as a command-line function.  You can spell out all the parms
> if you want -
>
>   ==> tso tsim acid(myid) fac(tso) dataset(my.dataset.name) acc(read)
>
> - but the REXX attempts a lot of assumptions for the missing ones so
>
>   ==> tso tsim myid my.dataset.name
>
> ...yields the same result.  Very handy.
>
> Incidentally, my go-to Horse's Mouth for TSS at CA tells me that even
> TSSSIM cannot be counted on to get ~every~ possible query right; there are
> complications within the TSS algorithm that TSSSIM can miss.  I gather,
> though, that they're rare enough that I don't worry about them.  It's just
> something I keep in mind; if ever TSS doesn't do what TSIM says it should,
> I'll remember then to look closer.
>
> ---
> Bob Bridges, [email protected], cell 336 382-7313
>
> /* The difference between British and Americans is that Americans think a
> hundred years is a long time, and the British think a hundred miles is a
> long drive.  -Unknown */
>
> -----Original Message-----
> From: IBM Mainframe Discussion List <[email protected]> On Behalf
> Of Rob Schramm
> Sent: Tuesday, June 14, 2022 23:12
>
> "*" for TSS is definitely 0.1 - 8
>
> "*" does not function like the RACF *.  It crosses indexes.  (unless there
> is a mod that changes the behavior)  This is very concerning when you have
> short indexes and naming convention collisions.
>
> The reason for the .1 is that if you add "*" to the end of a string lets
> say there are 2 permits TEMP.TST and TEMP.TST*   The * provides a better
> match even if the incoming data set for authorization is TEMP.TST.
>
> "+" is definitely one character
>
> "-" I never used this one.. so I can't comment
>
> Normally conflicting matches will choose the access level in the following
> order (this only occurs when certain control options are chosen)
> 1) none
> 2) all
> 3) lowest level  i.e. if there is READ and another has UPDATE.. READ will
> be chosen.
>
> You are correct about the "additional items" on the PERMIT like PROGRAM,
> LIBRARY, ACTION, CPU etc etc... which can create a best match.  Of course
> there are facility (tss facility not RACF facility) considerations, control
> options and other userID (aka ACID) issues that can affect the checking.
>
> Duplicating this is REXX.. well.. I would use TSSSIM or the data base
> unload which is supposed to include simulated checks.   There is also a
> LDAP with some library(s) to perform data set checking.  All I am saying is
> there is a lot to simulating it.  And just because you have the matching
> left to right working, doesn't mean that you have all the stuff correct.
>
> --- On Mon, Jun 13, 2022 at 5:02 PM Bob Bridges <[email protected]>
> wrote:
> > The TSS manual (v15) says it starts by looking for, simply, the
> > longest resource name:
> >
> > /* Quote begins */
> > To determine the longest resource name, each character in the resource
> > name counts as one character whether it is a normal character or a
> > masking character. If the floating mask “-“ is used in a PERMIT, only
> > count the characters prior to the mask. The following table contains
> > examples of how to count characters:
> >
> >   For Resource    Number of Characters Counted
> >   SMITH.TEST.JCL  14, all characters are counted
> >   JONES.*.JCL     11, all characters are counted
> >   BROWN.-.JCL     6, only 'BROWN.' is counted
> > /* Quote ends */
> >
> > In TSS, masking characters are '+', '*' and '-'.  The plus sign is one
> > character.  I've heard conflicting things about the other two; at one
> > time I understood that the '*' could stand for any zero to eight
> > characters INCLUDING A PERIOD, so that GEN*FIT would match GENFIT,
> > GEN.FIT, GEN.XYZ.FIT or GENXX.XYZ.XFIT.  But it also says here it's
> > supposed to be about a single index.  One of these days I've got to
> > test this and see what the real story is.  The hyphen, it says here,
> > is a "floating" mask; they appear to mean it can represent any number of
> characters.
> >
> > If you have multiple permissions which by the above criteria are the
> > same length, then it looks at other features of the permissions to
> > determine a match.  For instance, if one of them says ACCESS(NONE),
> > that one controls regardless of other matters.  Failing that, it looks
> > at (for example) FACILITY, TIME, TERMINAL and so on.
>
> ----------------------------------------------------------------------
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to [email protected] with the message: INFO IBM-MAIN
>

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN

Reply via email to