Really curious now, what exactly changing TOKSTYP to TOKCONS will achieve? -----Original Message----- From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf Of Walt Farrell Sent: Tuesday, January 31, 2017 11:24 AM To: [email protected] Subject: Re: MGCRE with custom console security. - or - How does SDSF do it? "WHEN(CONSOLE(SDSF))"
On Tue, 31 Jan 2017 16:11:42 +0000, Leonardo Vaz <[email protected]> wrote: >I am attempting to create a program to issue specific system commands >(modify) that users aren't usually allowed to in the OPERCMDS class; >basically, I'm attempting to do the same thing SDSF does on, for example, >cancelling jobs, where you secure which jobs a user has access to on the SDSF >class, and on the OPERCMDS class you add a WHEN(CONSOLE(SDSF)) to the rule. > >The RACF manual seems to indicate that the "WHEN(CONSOLE(" parm is to specify >a console name, but that doesn't seem to be the >case, I've tried using a >CONSNAME= on the MGCRE for a console with that name (activated with MCSOPER), >but no luck. MGCRE accepts a security UTOKEN as one of its parameters. For commands generated against protected resources (vs commands issued with / on the command line), after proper security checks are done, SDSF does something like: (1) Extract a copy of the user's UTOKEN. (2) Change the session type in the copy so it represents a console operator (3) Change the port of entry in the copy so it says "SDSF" (4) Issue the MGCRE using the modified UTOKEN. Note that / commands would be issued without a UTOKEN, or with the user's standard UTOKEN rather than the modified one. -- Walt ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
