Re: RACF, the FACILITY class, and z/XDC

Tue, 14 Nov 2023 05:03:29 -0800 

Since everyone already answered, here is my answer :-)
1. You can choose your own class.
Advantages:
You choose max. profile length, etc.
Naming conventions is completely up to you, that means no interference with other products/profiles, no reserved names/prefixes. 
Disadvantage:
Some people are reluctant to create yet another RACF class. And sometime they make errors (sample definition should solve it). 

2. XFACILIT
Advantages:
Length up to 246 chars

...and something nobody mentioned yet: GXFACILI grouping class. While 
long profiles allow wise naming convention, there is still way to group 
some unlikely named resource names into single profile.

(the same feature can be made in user-defined class as well)

HTH

--
Radoslaw Skorupka
Lodz, Poland





W dniu 12.11.2023 o 11:40, David Cole pisze:

I've got a problem. Decades ago, I made some assumptions about RACF's 
FACILITY class that have turned out to be wrong.



Currently, I'm working on implementing a new security rule for z/XDC, 
and the individual rules ("entities") can be up to 59 characters long.



Decades ago, when I was porting z/XDC's security rules from ACF2 to 
RACF, I made the decision to piggy-back my security rules into RACF's 
FACILITY class. I didn't know much about RACF then (and I still 
don't), and it did not occur to me that rule length would be an issue. 
I was wrong. It is an issue.



Yesterday, I was testing with an instance of the new rule that was 44 
characters long. Boom! My "RACROUTE REQUEST=AUTH" (racheck) call 
failed with "ICH409I 282-054 ABEND DURING RACHECK PROCESSING". This 
basically means that the entity I passed (my 44-character rule) was 
too long for its class (FACILITY).


Ouch!


So now I have several questions that I'm hoping someone here can 
provide answers to.

   * What is the longest entity the FACILITY class will accept?
   * Where do I find that specific fact doc'd?
   * Is there a command that will display that information?

   * Is there a catch-all class that z/XDC can use for its rules other 
than FACILITY?

   * Where do other vendors put their rules?

Asking for a friend [:-J]
Dave Cole



----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN























					Reply via email to