On Mon, 27 Jun 2022 10:20:43 -0500, Mike Cairns <[email protected]> wrote:
>One important difference you might need to be aware of is between a normal >RACROUTE call that executes under the authority of the current user associated >with the running address space (a First Party call - i.e. checking your own >current access rights), and the special case known as Third Party RACROUTE >call where you also give the userid on the call and it's not necessarily the >same userid as you are executing under at the time. For this, you need first >to create a new RACF ACEE and pass this to the RACROUTE call - IIRC this >*requires* you to have APF Authorisation (actually, Supervisor State, however >you get that, but most commonly this means you are APF'd), IOW you won't be >doing this from a normal user address space. More correctly, Mike, to create an ACEE or specify a userid on the AUTH call (which tells RACF to create an ACEE for that user) you need to be authorized: any of APF, supervisor state, or system key will work. Another caveat: If this is happening in CICS, the code should be using CICS services, not RACROUTE, to do any checking. -- Walt ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
