Re: Using RACROUT and Facility Class

Walt Farrell Sat, 01 Jul 2017 17:55:09 -0700

On Fri, 30 Jun 2017 00:53:29 GMT, [email protected] <[email protected]> wrote:


>I am not a RACF Security Administrator by any means, after reading several 
>documents
>I need some help setting up a RACF Facility Class and Permitting Access To a
>Started Task Userid (STCUSRID) and My Userid (PAULD01).
>
>Do the following RACF Commands Define a Facility Class 
>BLUE_RIBBON.SYS1.MSTRUPDT
>and Have I permitted the Started Task Userid (STCUSRID) Update access to the 
>Facility
>and My Userid PAULD01 Read access ?
>*
>RDEFINE FACILITY BLUE_RIBBON.SYS1.MSTRUPDT UACC(NONE)
>PERMIT  BLUE_RIBBON.SYS1.MSTRUPDT CLASS(FACILITY) ID(STCUSRID) ACCESS(UPDATE)
>PERMIT  BLUE_RIBBON.SYS1.MSTRUPDT CLASS(FACILITY) ID(PAULD01) ACCESS(READ)
>*
>*
>No for the code ...
>*
>*
>FACILITY$ DC   CL8'FACILITY'                                            
>STEM      DC   H'00',H'00'                                             
>          DC   CL13'BLUE_RIBBON.SYS1.MSTRUPDT'                         
>STEM#    EQU   *-STEM                                                  
>*                                                                      
>         DS    0D                                                      
>RACLAB   RACROUTE REQUEST=AUTH,ATTR=READ,CLASS='FACILITY',            XX
>               RELEASE=1.9,MF=L                                         
>         DS  XL8                                               
>RACLAB#  EQU  *-RACLAB                                         
>
>         MVC  SEC_ENTITY,STEM
>
>         RACROUTE REQUEST=AUTH,                                       **
>               WORKA=(R10),                                           **
>               ATTR=READ,                                             **
>               ENTITYX=SEC_ENTITY,                                    **
>               CLASS=FACILITY$,                                       **
>               MSGSUPP=NO,                                            **
>               LOG=ASIS,                                              **
>               MF=(E,RACLAB)                                          
>*
>*
>Does the Above RACROUTE REQUEST=AUTH macro verify that the userid has
>Read Authority to the Facility ?
>Have I coded it properly ?

You haven't shown us how SEC_ENTITY is defined, which is important. And STEM is 
not defined properly. The name portion needs to be defined with a length of 39, 
not 13, unless you setup the header differently.

Also, you're using MF=L and MF=E, implying that you're trying to use reentrant 
coding, but you're updating RACLAB, which seems to be part of your CSECT. So if 
the program really is reentrant you're going to abend when the RACROUTE macro 
runs.

Finally, even if this works, it's unclear what code is issuing the RACROUTE and 
what happens afterward. What is action and data is being controlled by that 
RACROUTE call? That's an important part of the design that we would need to 
know in order to be able to say whether doing this RACROUTE makes any sense or 
not.

(By the way, the RACF-L mailing list is more appropriate for questions about 
using RACROUTE, in my opinion.)

-- 
Walt

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN

Re: Using RACROUT and Facility Class

Reply via email to