On Tue, 31 Jan 2017 16:11:42 +0000, Leonardo Vaz <[email protected]> wrote:
>I am attempting to create a program to issue specific system commands (modify)
>that users aren't usually allowed to in the OPERCMDS
>class; basically, I'm attempting to do the same thing SDSF does on, for
>example, cancelling jobs, where you secure which jobs a user has
>access to on the SDSF class, and on the OPERCMDS class you add a
>WHEN(CONSOLE(SDSF)) to the rule.
>
>The RACF manual seems to indicate that the "WHEN(CONSOLE(" parm is to specify
>a console name, but that doesn't seem to be the >case, I've tried using a
>CONSNAME= on the MGCRE for a console with that name (activated with MCSOPER),
>but no luck.
MGCRE accepts a security UTOKEN as one of its parameters.
For commands generated against protected resources (vs commands issued with /
on the command line), after proper security checks are done, SDSF does
something like:
(1) Extract a copy of the user's UTOKEN.
(2) Change the session type in the copy so it represents a console operator
(3) Change the port of entry in the copy so it says "SDSF"
(4) Issue the MGCRE using the modified UTOKEN.
Note that / commands would be issued without a UTOKEN, or with the user's
standard UTOKEN rather than the modified one.
--
Walt
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
