On Tue, 16 May 2017 20:42:42 +0700, Robin Atwood <[email protected]> wrote:
>>However, as you're running work on behalf of various end-users, I hope you're >>authenticating those users and >running the work under the proper end-user >>identity in each case. And that would probably require authorization >of the >>STC. > >Yes, we run under the ACEE of the user. However, unless your STC runs single-threaded (handling requests for only 1 user at a time) it's not possible for you to run REXX execs invokiing ISPF services with proper security. It would require ensuring that none of the execs, or the services they invoke, perform any ATTACH requests., The new subtask created by ATTACH would not inherit the ACEE of the user on whose behalf you're running the request. (There is one exception to that, but it's used rarely enough that it probably won't apply to you. You would have to be using WLM services, and operating as a WLM servant to manage the requests that you're processing. Then, and only then as far as I know, would the user's ACEE propagate down to a new subtask.) -- Walt ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
