Yep On Mon, Nov 18, 2019 at 7:47 PM Tony Harminc <[email protected]> wrote:
> On Mon, 18 Nov 2019 at 10:55, scott Ford <[email protected]> wrote: > > > > So guys, stupid question what about a STC that provisions for RACF, etc. > > But the design is as a normal generalized user, but with a id > > with SPECIAL that is invoked only during the time of passing the command > to > > RACF ? Does it have to be APF authorized for RACF command > > access or am i misunderstanding my readings ? > > There are several ways of doing things. If you're talking of using the > IRRSEQ00 service to run a command in the RACF subsystem, you can be > unauthorized, and it will use your current userid. You can be > authorized, and pass it a userid or an ACEE, and it will use that. (If > you pass it an ACEE it merely extracts the userid from it and uses > that.) So no, you don't have to be APF authorized to run a RACF > command, but you are of course subject to all the relevant RACF > controls associated with the userid you're running under. If you want > to generally run with a limited-permissions userid, but are APF > authorized, then you can pass a SPECIAL (or other elevated privs) > userid to IRRSEQ00 and have it use that for your provisioning > commands. > > There are several other ways to run RACF commands using another > userid. You can use one of the (unaccountably many) TSO/E service > routines that run commands. Or, for some but certainly not all TSO > commands, you can just ATTACH the command as though you were a TMP, > passing an appropriate CPPL that you fabricate. In that case, if you > are authorized, you can create an ACEE for your SPECIAL userid, stick > its address into TCBSENV, and your commands will run under that > userid. > > None of this is an MVS integrity exposure, BTW. > > Tony H. > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO IBM-MAIN > -- Scott Ford IDMWORKS z/OS Development ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
