Re: MGCRE with custom console security. - or - How does SDSF do it? "WHEN(CONSOLE(SDSF))"

Tue, 31 Jan 2017 09:47:59 -0800 

Walt, the following worked flawlessly:

 RACROUTE REQUEST=TOKENXTR,TOKNOUT=TOKORIG,                    X
       WORKA=RACWK,RELEASE=1.9
 RACROUTE REQUEST=TOKENBLD,TOKNIN=TOKORIG,TOKNOUT=TOKMOD,      X
       POE=MYPOE,WORKA=RACWK,RELEASE=1.9
 LA    R4,TOKMOD
 MGCRE MF=(E,LAREA),TEXT=(R3),CONSID=MYCON,UTOKEN=(R4)

Thank you very much, I would have never figured "WHEN(CONSOLE(" meant the port 
of entry.

Much appreciated,
Leo


-----Original Message-----
From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf 
Of Walt Farrell
Sent: Tuesday, January 31, 2017 11:24 AM
To: [email protected]
Subject: Re: MGCRE with custom console security. - or - How does SDSF do it? 
"WHEN(CONSOLE(SDSF))"

On Tue, 31 Jan 2017 16:11:42 +0000, Leonardo Vaz <[email protected]> wrote:

>I am attempting to create a program to issue specific system commands 
>(modify) that users aren't usually allowed to in the OPERCMDS class; 
>basically, I'm attempting to do the same thing SDSF does on, for example, 
>cancelling jobs, where you secure which jobs a user has access to on the SDSF 
>class, and on the OPERCMDS class you add a WHEN(CONSOLE(SDSF)) to the rule.
>
>The RACF manual seems to indicate that the "WHEN(CONSOLE(" parm is to specify 
>a console name, but that doesn't seem to be the >case, I've tried using a 
>CONSNAME= on the MGCRE for a console with that name (activated with MCSOPER), 
>but no luck.

MGCRE accepts a security UTOKEN as one of its parameters. 

For commands generated against protected resources (vs commands issued with / 
on the command line), after proper security checks are done, SDSF does 
something like:
(1) Extract a copy of the user's UTOKEN.
(2) Change the session type in the copy so it represents a console operator
(3) Change the port of entry in the copy so it says "SDSF"
(4) Issue the MGCRE using the modified UTOKEN.

Note that / commands would be issued without a UTOKEN, or with the user's 
standard UTOKEN rather than the modified one.

--
Walt

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
[email protected] with the message: INFO IBM-MAIN

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN

Reply via email to