I agree with you about TSSSIM.. but at least when you detect bad responses.. you can open an issue to get it corrected.
Rob On Wed, Jun 15, 2022 at 11:51 AM Bob Bridges <[email protected]> wrote: > I like a lot of the features of TSS, but I agree about masking; RACF has > far the better scheme. I'm guessing that when they included the period > among the characters that could be masked by an asterisk, it seemed to them > like a brilliant idea. But in my opinion, and as you say, it's a lot worse. > > I use TSSSIM a lot, but I'm not a big fan of batch operations for such a > simple and fast-running function so I wrote a REXX (named TSIM) that'll let > me invoke it as a command-line function. You can spell out all the parms > if you want - > > ==> tso tsim acid(myid) fac(tso) dataset(my.dataset.name) acc(read) > > - but the REXX attempts a lot of assumptions for the missing ones so > > ==> tso tsim myid my.dataset.name > > ...yields the same result. Very handy. > > Incidentally, my go-to Horse's Mouth for TSS at CA tells me that even > TSSSIM cannot be counted on to get ~every~ possible query right; there are > complications within the TSS algorithm that TSSSIM can miss. I gather, > though, that they're rare enough that I don't worry about them. It's just > something I keep in mind; if ever TSS doesn't do what TSIM says it should, > I'll remember then to look closer. > > --- > Bob Bridges, [email protected], cell 336 382-7313 > > /* The difference between British and Americans is that Americans think a > hundred years is a long time, and the British think a hundred miles is a > long drive. -Unknown */ > > -----Original Message----- > From: IBM Mainframe Discussion List <[email protected]> On Behalf > Of Rob Schramm > Sent: Tuesday, June 14, 2022 23:12 > > "*" for TSS is definitely 0.1 - 8 > > "*" does not function like the RACF *. It crosses indexes. (unless there > is a mod that changes the behavior) This is very concerning when you have > short indexes and naming convention collisions. > > The reason for the .1 is that if you add "*" to the end of a string lets > say there are 2 permits TEMP.TST and TEMP.TST* The * provides a better > match even if the incoming data set for authorization is TEMP.TST. > > "+" is definitely one character > > "-" I never used this one.. so I can't comment > > Normally conflicting matches will choose the access level in the following > order (this only occurs when certain control options are chosen) > 1) none > 2) all > 3) lowest level i.e. if there is READ and another has UPDATE.. READ will > be chosen. > > You are correct about the "additional items" on the PERMIT like PROGRAM, > LIBRARY, ACTION, CPU etc etc... which can create a best match. Of course > there are facility (tss facility not RACF facility) considerations, control > options and other userID (aka ACID) issues that can affect the checking. > > Duplicating this is REXX.. well.. I would use TSSSIM or the data base > unload which is supposed to include simulated checks. There is also a > LDAP with some library(s) to perform data set checking. All I am saying is > there is a lot to simulating it. And just because you have the matching > left to right working, doesn't mean that you have all the stuff correct. > > --- On Mon, Jun 13, 2022 at 5:02 PM Bob Bridges <[email protected]> > wrote: > > The TSS manual (v15) says it starts by looking for, simply, the > > longest resource name: > > > > /* Quote begins */ > > To determine the longest resource name, each character in the resource > > name counts as one character whether it is a normal character or a > > masking character. If the floating mask “-“ is used in a PERMIT, only > > count the characters prior to the mask. The following table contains > > examples of how to count characters: > > > > For Resource Number of Characters Counted > > SMITH.TEST.JCL 14, all characters are counted > > JONES.*.JCL 11, all characters are counted > > BROWN.-.JCL 6, only 'BROWN.' is counted > > /* Quote ends */ > > > > In TSS, masking characters are '+', '*' and '-'. The plus sign is one > > character. I've heard conflicting things about the other two; at one > > time I understood that the '*' could stand for any zero to eight > > characters INCLUDING A PERIOD, so that GEN*FIT would match GENFIT, > > GEN.FIT, GEN.XYZ.FIT or GENXX.XYZ.XFIT. But it also says here it's > > supposed to be about a single index. One of these days I've got to > > test this and see what the real story is. The hyphen, it says here, > > is a "floating" mask; they appear to mean it can represent any number of > characters. > > > > If you have multiple permissions which by the above criteria are the > > same length, then it looks at other features of the permissions to > > determine a match. For instance, if one of them says ACCESS(NONE), > > that one controls regardless of other matters. Failing that, it looks > > at (for example) FACILITY, TIME, TERMINAL and so on. > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO IBM-MAIN > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
