On Mon, 18 Nov 2019 at 10:55, scott Ford <[email protected]> wrote: > > So guys, stupid question what about a STC that provisions for RACF, etc. > But the design is as a normal generalized user, but with a id > with SPECIAL that is invoked only during the time of passing the command to > RACF ? Does it have to be APF authorized for RACF command > access or am i misunderstanding my readings ?
There are several ways of doing things. If you're talking of using the IRRSEQ00 service to run a command in the RACF subsystem, you can be unauthorized, and it will use your current userid. You can be authorized, and pass it a userid or an ACEE, and it will use that. (If you pass it an ACEE it merely extracts the userid from it and uses that.) So no, you don't have to be APF authorized to run a RACF command, but you are of course subject to all the relevant RACF controls associated with the userid you're running under. If you want to generally run with a limited-permissions userid, but are APF authorized, then you can pass a SPECIAL (or other elevated privs) userid to IRRSEQ00 and have it use that for your provisioning commands. There are several other ways to run RACF commands using another userid. You can use one of the (unaccountably many) TSO/E service routines that run commands. Or, for some but certainly not all TSO commands, you can just ATTACH the command as though you were a TMP, passing an appropriate CPPL that you fabricate. In that case, if you are authorized, you can create an ACEE for your SPECIAL userid, stick its address into TCBSENV, and your commands will run under that userid. None of this is an MVS integrity exposure, BTW. Tony H. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
