Thank you very much kind Walt! Beauty! So I'm guessing a "RACROUTE
REQUEST=TOKENBLD" to copy the UTOKEN, then change the port of entry in the
copy; never done this before, with a quick look in the book I am guessing the
mapping DSECT is RUTKN and field TOKPOE, is that right?
Lizette, to answer your question, here is what I was trying to do, obviously
the wrong thing:
MCSOPER REQUEST=ACTIVATE,NAME=MYCON,CONSID=IDAREA, X
MCSCSA=STATUS_AREA,MCSCSAA=MY_ALET, X
MSGECB=ALERT_ECB,TERMNAME=USERID
MGCRE MF=(E,LAREA),TEXT=(R3),CONSNAME=MYCON
...
MYCON DC CL8'VMCF '
This is what I get:
VMCF 00000290 F LLA,REFRESH
JOB46608 00000090 IEE345I MODIFY AUTHORITY INVALID, FAILED BY SECURITY
PRODUCT
JOB46608 00000094 ACF04056 ACCESS TO RESOURCE MVS.MODIFY.STC.LLA.LLA TYPE ROPR
BY xxxxxxx
NOT AUTHORIZED
Even though the security rule is:
MODIFY.- UID(*) SOURCE(VMCF) ALLOW
Thanks again Walt! :)
Regards,
Leo
-----Original Message-----
From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf
Of Walt Farrell
Sent: Tuesday, January 31, 2017 11:24 AM
To: [email protected]
Subject: Re: MGCRE with custom console security. - or - How does SDSF do it?
"WHEN(CONSOLE(SDSF))"
On Tue, 31 Jan 2017 16:11:42 +0000, Leonardo Vaz <[email protected]> wrote:
>I am attempting to create a program to issue specific system commands
>(modify) that users aren't usually allowed to in the OPERCMDS class;
>basically, I'm attempting to do the same thing SDSF does on, for example,
>cancelling jobs, where you secure which jobs a user has access to on the SDSF
>class, and on the OPERCMDS class you add a WHEN(CONSOLE(SDSF)) to the rule.
>
>The RACF manual seems to indicate that the "WHEN(CONSOLE(" parm is to specify
>a console name, but that doesn't seem to be the >case, I've tried using a
>CONSNAME= on the MGCRE for a console with that name (activated with MCSOPER),
>but no luck.
MGCRE accepts a security UTOKEN as one of its parameters.
For commands generated against protected resources (vs commands issued with /
on the command line), after proper security checks are done, SDSF does
something like:
(1) Extract a copy of the user's UTOKEN.
(2) Change the session type in the copy so it represents a console operator
(3) Change the port of entry in the copy so it says "SDSF"
(4) Issue the MGCRE using the modified UTOKEN.
Note that / commands would be issued without a UTOKEN, or with the user's
standard UTOKEN rather than the modified one.
--
Walt
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions, send email to
[email protected] with the message: INFO IBM-MAIN
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
