On 27 October 2017 at 13:06, John McKown <[email protected]> wrote:
> > Coming in a bit sideways on this, and from another thread entirely. If I > wanted to do z/OS RACF work when I'm logged into a CICS region (though I > don't know why), then I think use the zOSMF REST API would be a much better > way to go. This could be done using the ZOSMF TSO services REST API to run > the RACF commands. > ref: > https://www.ibm.com/support/knowledgecenter/en/SSLTBW_2.1. > 0/com.ibm.zos.v2r1.izua700/izuprog_API_TSOServices.htm > > This should not affect system integrity because it is simple HTTP over > TCPIP, which is native to CICS. > How would the caller authenticate to RACF to do this? I was going to suggest that the ADMN_RUN_COMD function of the R_Admin (IRRSEQ00) RACF callable service would do the trick without compromising system integrity. But the problem here too is that only an already privileged caller can pass a userid to this service; otherwise it uses the caller's (presumably from ASXB_SENV). Not knowing the IMS environment... if you can already manage to issue an ATTACH in an authorized state then presumably you can instead invoke IRRSEQ00 in an authorized state, pass in a userid, and have the command checked against that user's authority to issue it (which can be quite subtle). Tony H. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
