Re: ISPF 3.4 DSLIST questions
As a novice sysprog, I was asked to write an app (CLIST in those days) that would enable a user to update a file but not read it. (!) Easy peasy in ASM2. . . J.O.Skip Robinson Southern California Edison Company Electric Dragon Team Paddler SHARE MVS Program Co-Manager 323-715-0595 Mobile 626-543-6132 Office ⇐=== NEW robin...@sce.com -Original Message- From: IBM Mainframe Discussion List On Behalf Of Bob Bridges Sent: Thursday, July 9, 2020 8:20 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: (External):Re: ISPF 3.4 DSLIST questions CAUTION EXTERNAL EMAIL Ah, of course you're right, I'd forgotten that. In ACF2 and Top Secret you can have UPDATE without READ, for example - it's needed only rarely, but it's possible with those two - not in RACF. --- Bob Bridges, robhbrid...@gmail.com, cell 336 382-7313 /* Lord, before I commit a sin, it seems to me so shallow that I may wade through it dry-shod from any guiltiness; but when I have committed it, it often seems so deep that I cannot escape without drowning. -Thomas Fuller (1608-1661) */ -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of John McKown Sent: Thursday, July 9, 2020 06:44 That's close. But the access is "hierarchical" ALTER access implies CONTROL access implies UPDATE access implies READ access. So if you want to know a person's access, you'd start at the most powerful and go downward. --- On Wed, Jul 8, 2020 at 6:04 PM Bob Bridges wrote: > I've been doing mainframe security for a few decades now, but I've > never learned IBM's version of assembler (I still have ambitions of > doing that > eventually) so I may be mistaken about how RACROUTE works. But my > impression is that the question the OS asks the security system might > look like this: "About resource HLQ.XYZ in class DATASET, does ABC > have UPDATE access to it?" In other words, the question specifies the > class, the resource name, the user's ID and the level of access (READ > or whatever), and the answer is a simple Yes or No (or in rare cases > "I can't tell"). > > Am I mistaken in that? If not, then how do you learn what access ABC > has to HLQ.XYZ without asking once for READ, once for UPDATE and so on? -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: ISPF 3.4 DSLIST questions
Ah, of course you're right, I'd forgotten that. In ACF2 and Top Secret you can have UPDATE without READ, for example - it's needed only rarely, but it's possible with those two - not in RACF. --- Bob Bridges, robhbrid...@gmail.com, cell 336 382-7313 /* Lord, before I commit a sin, it seems to me so shallow that I may wade through it dry-shod from any guiltiness; but when I have committed it, it often seems so deep that I cannot escape without drowning. -Thomas Fuller (1608-1661) */ -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of John McKown Sent: Thursday, July 9, 2020 06:44 That's close. But the access is "hierarchical" ALTER access implies CONTROL access implies UPDATE access implies READ access. So if you want to know a person's access, you'd start at the most powerful and go downward. --- On Wed, Jul 8, 2020 at 6:04 PM Bob Bridges wrote: > I've been doing mainframe security for a few decades now, but I've never > learned IBM's version of assembler (I still have ambitions of doing that > eventually) so I may be mistaken about how RACROUTE works. But my > impression is that the question the OS asks the security system might look > like this: "About resource HLQ.XYZ in class DATASET, does ABC have > UPDATE access to it?" In other words, the question specifies the class, > the resource name, the user's ID and the level of access (READ or > whatever), and the answer is a simple Yes or No (or in rare cases "I can't > tell"). > > Am I mistaken in that? If not, then how do you learn what access ABC has > to HLQ.XYZ without asking once for READ, once for UPDATE and so on? -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: ISPF 3.4 DSLIST questions
Deepest apologies to David Spiegel. And to IBM. I never noticed the ACCESS option on the RACROUTE macro even though it's been there for a long time. RACF 1.9 is pretty hoary. So David's program is a nifty way to get the highest level of access allowed with a single call to RACF. I'm not sure what OP's requirement is for various users. A lot of RACF inquiries are based on the current (issuing) user unless some other user's ACEE is specified. That generally requires running APF authorized. . . J.O.Skip Robinson Southern California Edison Company Electric Dragon Team Paddler SHARE MVS Program Co-Manager 323-715-0595 Mobile 626-543-6132 Office ⇐=== NEW robin...@sce.com -Original Message- From: IBM Mainframe Discussion List On Behalf Of Lou Losee Sent: Thursday, July 9, 2020 11:58 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: (External):Re: ISPF 3.4 DSLIST questions CAUTION EXTERNAL EMAIL One call to RACF - according to the description for the STATUS=ACCESS keyword on the RACROUTE REQUEST=AUTH macro in the RACROUTE manual: ACCESS - The request is simply to return the user's highest current access to the resource specified. Upon successful completion, the user's access is returned in the RACF reason code. No auditing is done for this request. Note: 1. If the ATTR= keyword is specified along with STATUS=ACCESS, the ATTR= keyword is ignored. 2. To use the STATUS=ACCESS keyword, you must specify RELEASE=1.9 or later. Lou -- Artificial Intelligence is no match for Natural Stupidity - Unknown On Thu, Jul 9, 2020 at 1:25 PM Jesse 1 Robinson wrote: > One call to your program, or one call to RACF? > > . > . > J.O.Skip Robinson > Southern California Edison Company > Electric Dragon Team Paddler > SHARE MVS Program Co-Manager > 323-715-0595 Mobile > 626-543-6132 Office ⇐=== NEW > robin...@sce.com > > -Original Message- > From: IBM Mainframe Discussion List On > Behalf Of David Spiegel > Sent: Thursday, July 9, 2020 1:30 AM > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: (External):Re: ISPF 3.4 DSLIST questions > > CAUTION EXTERNAL EMAIL > > Hi Skip, > My program does it in one call. > > Regards, > David > > On 2020-07-09 00:20, Jesse 1 Robinson wrote: > > My experience with RACF echoes Bob Bridges, as does the excellent > > code > sample from David Spiegel. A single call directly to RACF returns a > yes/no for the level of access queried in that call. > > > > Ages ago I worked in an ASM2 shop. As I recall, ASM2 allowed a > > single > call to determine the highest level of access allowed. In any case, > it's a shame that RACF requires multiple calls. David's code appears > to do that but masks it for the user. > > > > . > > . > > J.O.Skip Robinson > > Southern California Edison Company > > Electric Dragon Team Paddler > > SHARE MVS Program Co-Manager > > 323-715-0595 Mobile > > 626-543-6132 Office ⇐=== NEW > > robin...@sce.com > > > > -Original Message- > > From: IBM Mainframe Discussion List On > > Behalf Of Mike Hochee > > Sent: Wednesday, July 8, 2020 9:07 PM > > To: IBM-MAIN@LISTSERV.UA.EDU > > Subject: (External):Re: ISPF 3.4 DSLIST questions > > > > CAUTION EXTERNAL EMAIL > > > > Hi Bob, > > > > If was unfamiliar with assembler, I would not start by attempting to > > use > RACROUTE macros, as the combination of the two is a lot to chew on IMO. > > > > RACSEQ is a TSO command/utility for RACF written by Bruce wells of > > IBM some years ago. Documentation and assembler source are available > > here... > > https://eur06.safelinks.protection.outlook.com/?url=ftp%3A%2F%2Fftp. > > ww > > w.ibm.com%2Fs390%2Fzos%2Fracf%2Fracseq%2FracseqReadMe.pdfdata=0 > > 2% > > 7C01%7C%7Cc1ba10f375ae4291954408d823bf7269%7C84df9e7fe9f640afb435aaa > > aa > > aaa%7C1%7C0%7C637298652463812056sdata=eEwr70f%2BfqMkQRw60An > > pP > > PIXMcSfXd0BZUtBrqf0a8s%3Dreserved=0 It is certainly callable > > from Rexx and is something you can customize if desired. Rather > > than RACROUTE, the program makes use of the RACF R_admin callable service. > > RACF callable service functionality may map more closely to the kind > > of permission/resource related questions you posed. The RACF > > callable services are documented here... > > https://eur06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fww > > w- > > 01.ibm.com%2Fservers%2Fresourcelink%2Fsvc00100.nsf%2Fpages%2FzOSV2R3 > > sa > > 232293%2F%24file%2Fichd100_v2r3.pdfdata=02%7C01%7C%7Cc1ba10f375 > > ae > > 4291954408d823bf7269%7C84df9e7fe9f640afb435%7C1%7C0%7C63 > > 72 > > 9
Re: ISPF 3.4 DSLIST questions
One call to RACF - according to the description for the STATUS=ACCESS keyword on the RACROUTE REQUEST=AUTH macro in the RACROUTE manual: ACCESS - The request is simply to return the user's highest current access to the resource specified. Upon successful completion, the user's access is returned in the RACF reason code. No auditing is done for this request. Note: 1. If the ATTR= keyword is specified along with STATUS=ACCESS, the ATTR= keyword is ignored. 2. To use the STATUS=ACCESS keyword, you must specify RELEASE=1.9 or later. Lou -- Artificial Intelligence is no match for Natural Stupidity - Unknown On Thu, Jul 9, 2020 at 1:25 PM Jesse 1 Robinson wrote: > One call to your program, or one call to RACF? > > . > . > J.O.Skip Robinson > Southern California Edison Company > Electric Dragon Team Paddler > SHARE MVS Program Co-Manager > 323-715-0595 Mobile > 626-543-6132 Office ⇐=== NEW > robin...@sce.com > > -Original Message- > From: IBM Mainframe Discussion List On Behalf > Of David Spiegel > Sent: Thursday, July 9, 2020 1:30 AM > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: (External):Re: ISPF 3.4 DSLIST questions > > CAUTION EXTERNAL EMAIL > > Hi Skip, > My program does it in one call. > > Regards, > David > > On 2020-07-09 00:20, Jesse 1 Robinson wrote: > > My experience with RACF echoes Bob Bridges, as does the excellent code > sample from David Spiegel. A single call directly to RACF returns a yes/no > for the level of access queried in that call. > > > > Ages ago I worked in an ASM2 shop. As I recall, ASM2 allowed a single > call to determine the highest level of access allowed. In any case, it's a > shame that RACF requires multiple calls. David's code appears to do that > but masks it for the user. > > > > . > > . > > J.O.Skip Robinson > > Southern California Edison Company > > Electric Dragon Team Paddler > > SHARE MVS Program Co-Manager > > 323-715-0595 Mobile > > 626-543-6132 Office ⇐=== NEW > > robin...@sce.com > > > > -Original Message- > > From: IBM Mainframe Discussion List On > > Behalf Of Mike Hochee > > Sent: Wednesday, July 8, 2020 9:07 PM > > To: IBM-MAIN@LISTSERV.UA.EDU > > Subject: (External):Re: ISPF 3.4 DSLIST questions > > > > CAUTION EXTERNAL EMAIL > > > > Hi Bob, > > > > If was unfamiliar with assembler, I would not start by attempting to use > RACROUTE macros, as the combination of the two is a lot to chew on IMO. > > > > RACSEQ is a TSO command/utility for RACF written by Bruce wells of IBM > > some years ago. Documentation and assembler source are available > > here... > > https://eur06.safelinks.protection.outlook.com/?url=ftp%3A%2F%2Fftp.ww > > w.ibm.com%2Fs390%2Fzos%2Fracf%2Fracseq%2FracseqReadMe.pdfdata=02% > > 7C01%7C%7Cc1ba10f375ae4291954408d823bf7269%7C84df9e7fe9f640afb435a > > aaa%7C1%7C0%7C637298652463812056sdata=eEwr70f%2BfqMkQRw60AnpP > > PIXMcSfXd0BZUtBrqf0a8s%3Dreserved=0 It is certainly callable > > from Rexx and is something you can customize if desired. Rather than > > RACROUTE, the program makes use of the RACF R_admin callable service. > > RACF callable service functionality may map more closely to the kind > > of permission/resource related questions you posed. The RACF callable > > services are documented here... > > https://eur06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww- > > 01.ibm.com%2Fservers%2Fresourcelink%2Fsvc00100.nsf%2Fpages%2FzOSV2R3sa > > 232293%2F%24file%2Fichd100_v2r3.pdfdata=02%7C01%7C%7Cc1ba10f375ae > > 4291954408d823bf7269%7C84df9e7fe9f640afb435aaaaaaaa%7C1%7C0%7C6372 > > 98652463812056sdata=Pr3%2Ba4ktBbxfWgtzqsaVCF%2BvXMSMovGYt42sT1KOK > > Ck%3Dreserved=0 > > > > HTH, > > Mike > > > > -Original Message- > > From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] > > On Behalf Of Bob Bridges > > Sent: Wednesday, July 8, 2020 7:04 PM > > To: IBM-MAIN@LISTSERV.UA.EDU > > Subject: Re: ISPF 3.4 DSLIST questions > > > > Caution! This message was sent from outside your organization. > > > > I've been doing mainframe security for a few decades now, but I've never > learned IBM's version of assembler (I still have ambitions of doing that > eventually) so I may be mistaken about how RACROUTE works. But my > impression is that the question the OS asks the security system might look > like this: "About resource HLQ.XYZ in class DATASET, does ABC have > UPDATE access to it?" In other words, the question specifies the class, > the resource name, the user's ID and the level of access (READ or > wh
Re: ISPF 3.4 DSLIST questions
Both are one call. On 2020-07-09 14:25, Jesse 1 Robinson wrote: One call to your program, or one call to RACF? . . J.O.Skip Robinson Southern California Edison Company Electric Dragon Team Paddler SHARE MVS Program Co-Manager 323-715-0595 Mobile 626-543-6132 Office ⇐=== NEW robin...@sce.com -Original Message- From: IBM Mainframe Discussion List On Behalf Of David Spiegel Sent: Thursday, July 9, 2020 1:30 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: (External):Re: ISPF 3.4 DSLIST questions CAUTION EXTERNAL EMAIL Hi Skip, My program does it in one call. Regards, David On 2020-07-09 00:20, Jesse 1 Robinson wrote: My experience with RACF echoes Bob Bridges, as does the excellent code sample from David Spiegel. A single call directly to RACF returns a yes/no for the level of access queried in that call. Ages ago I worked in an ASM2 shop. As I recall, ASM2 allowed a single call to determine the highest level of access allowed. In any case, it's a shame that RACF requires multiple calls. David's code appears to do that but masks it for the user. . . J.O.Skip Robinson Southern California Edison Company Electric Dragon Team Paddler SHARE MVS Program Co-Manager 323-715-0595 Mobile 626-543-6132 Office ⇐=== NEW robin...@sce.com -Original Message- From: IBM Mainframe Discussion List On Behalf Of Mike Hochee Sent: Wednesday, July 8, 2020 9:07 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: (External):Re: ISPF 3.4 DSLIST questions CAUTION EXTERNAL EMAIL Hi Bob, If was unfamiliar with assembler, I would not start by attempting to use RACROUTE macros, as the combination of the two is a lot to chew on IMO. RACSEQ is a TSO command/utility for RACF written by Bruce wells of IBM some years ago. Documentation and assembler source are available here... https://eur06.safelinks.protection.outlook.com/?url=ftp%3A%2F%2Fftp.ww w.ibm.com%2Fs390%2Fzos%2Fracf%2Fracseq%2FracseqReadMe.pdfdata=02% 7C01%7C%7Cc1ba10f375ae4291954408d823bf7269%7C84df9e7fe9f640afb435a aaa%7C1%7C0%7C637298652463812056sdata=eEwr70f%2BfqMkQRw60AnpP PIXMcSfXd0BZUtBrqf0a8s%3Dreserved=0 It is certainly callable from Rexx and is something you can customize if desired. Rather than RACROUTE, the program makes use of the RACF R_admin callable service. RACF callable service functionality may map more closely to the kind of permission/resource related questions you posed. The RACF callable services are documented here... https://eur06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww- 01.ibm.com%2Fservers%2Fresourcelink%2Fsvc00100.nsf%2Fpages%2FzOSV2R3sa 232293%2F%24file%2Fichd100_v2r3.pdfdata=02%7C01%7C%7Cc1ba10f375ae 4291954408d823bf7269%7C84df9e7fe9f640afb435%7C1%7C0%7C6372 98652463812056sdata=Pr3%2Ba4ktBbxfWgtzqsaVCF%2BvXMSMovGYt42sT1KOK Ck%3Dreserved=0 HTH, Mike -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Bob Bridges Sent: Wednesday, July 8, 2020 7:04 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: ISPF 3.4 DSLIST questions Caution! This message was sent from outside your organization. I've been doing mainframe security for a few decades now, but I've never learned IBM's version of assembler (I still have ambitions of doing that eventually) so I may be mistaken about how RACROUTE works. But my impression is that the question the OS asks the security system might look like this: "About resource HLQ.XYZ in class DATASET, does ABC have UPDATE access to it?" In other words, the question specifies the class, the resource name, the user's ID and the level of access (READ or whatever), and the answer is a simple Yes or No (or in rare cases "I can't tell"). Am I mistaken in that? If not, then how do you learn what access ABC has to HLQ.XYZ without asking once for READ, once for UPDATE and so on? --- Bob Bridges, robhbrid...@gmail.com, cell 336 382-7313 /* People don't really want to go back to a time when the world was simpler. They want to go back to a time when they didn't understand how complicated the world has always been. */ -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of David Spiegel Sent: Tuesday, July 7, 2020 18:15 "... But if you want to know all the kinds of access you have, you'd need to ask the question three or four times, for read, update, execute and create. ..." This statement is not true. I published an Assembler program and a Rexx Exec here on June 14. My program has been placed on CBT File 836 (for now, it's in the Update section of the website). --- On 2020-07-07 17:45, Bob Bridges wrote: Nothing useful to say about your first question, but about the second: I can think of two ways to pull your access information for a list of datasets. 1) Query the system about which security app is running (RACF, ACF2 or TSS), then issue the commands and parse the output. Display only the brief results, eg "RW" fo
Re: ISPF 3.4 DSLIST questions
One call to your program, or one call to RACF? . . J.O.Skip Robinson Southern California Edison Company Electric Dragon Team Paddler SHARE MVS Program Co-Manager 323-715-0595 Mobile 626-543-6132 Office ⇐=== NEW robin...@sce.com -Original Message- From: IBM Mainframe Discussion List On Behalf Of David Spiegel Sent: Thursday, July 9, 2020 1:30 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: (External):Re: ISPF 3.4 DSLIST questions CAUTION EXTERNAL EMAIL Hi Skip, My program does it in one call. Regards, David On 2020-07-09 00:20, Jesse 1 Robinson wrote: > My experience with RACF echoes Bob Bridges, as does the excellent code sample > from David Spiegel. A single call directly to RACF returns a yes/no for the > level of access queried in that call. > > Ages ago I worked in an ASM2 shop. As I recall, ASM2 allowed a single call to > determine the highest level of access allowed. In any case, it's a shame that > RACF requires multiple calls. David's code appears to do that but masks it > for the user. > > . > . > J.O.Skip Robinson > Southern California Edison Company > Electric Dragon Team Paddler > SHARE MVS Program Co-Manager > 323-715-0595 Mobile > 626-543-6132 Office ⇐=== NEW > robin...@sce.com > > -Original Message- > From: IBM Mainframe Discussion List On > Behalf Of Mike Hochee > Sent: Wednesday, July 8, 2020 9:07 PM > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: (External):Re: ISPF 3.4 DSLIST questions > > CAUTION EXTERNAL EMAIL > > Hi Bob, > > If was unfamiliar with assembler, I would not start by attempting to use > RACROUTE macros, as the combination of the two is a lot to chew on IMO. > > RACSEQ is a TSO command/utility for RACF written by Bruce wells of IBM > some years ago. Documentation and assembler source are available > here... > https://eur06.safelinks.protection.outlook.com/?url=ftp%3A%2F%2Fftp.ww > w.ibm.com%2Fs390%2Fzos%2Fracf%2Fracseq%2FracseqReadMe.pdfdata=02% > 7C01%7C%7Cc1ba10f375ae4291954408d823bf7269%7C84df9e7fe9f640afb435a > aaa%7C1%7C0%7C637298652463812056sdata=eEwr70f%2BfqMkQRw60AnpP > PIXMcSfXd0BZUtBrqf0a8s%3Dreserved=0 It is certainly callable > from Rexx and is something you can customize if desired. Rather than > RACROUTE, the program makes use of the RACF R_admin callable service. > RACF callable service functionality may map more closely to the kind > of permission/resource related questions you posed. The RACF callable > services are documented here... > https://eur06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww- > 01.ibm.com%2Fservers%2Fresourcelink%2Fsvc00100.nsf%2Fpages%2FzOSV2R3sa > 232293%2F%24file%2Fichd100_v2r3.pdfdata=02%7C01%7C%7Cc1ba10f375ae > 4291954408d823bf7269%7C84df9e7fe9f640afb435%7C1%7C0%7C6372 > 98652463812056sdata=Pr3%2Ba4ktBbxfWgtzqsaVCF%2BvXMSMovGYt42sT1KOK > Ck%3Dreserved=0 > > HTH, > Mike > > -Original Message- > From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] > On Behalf Of Bob Bridges > Sent: Wednesday, July 8, 2020 7:04 PM > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: Re: ISPF 3.4 DSLIST questions > > Caution! This message was sent from outside your organization. > > I've been doing mainframe security for a few decades now, but I've never > learned IBM's version of assembler (I still have ambitions of doing that > eventually) so I may be mistaken about how RACROUTE works. But my impression > is that the question the OS asks the security system might look like this: > "About resource HLQ.XYZ in class DATASET, does ABC have UPDATE access to it?" > In other words, the question specifies the class, the resource name, the > user's ID and the level of access (READ or whatever), and the answer is a > simple Yes or No (or in rare cases "I can't tell"). > > Am I mistaken in that? If not, then how do you learn what access ABC has to > HLQ.XYZ without asking once for READ, once for UPDATE and so on? > > --- > Bob Bridges, robhbrid...@gmail.com, cell 336 382-7313 > > /* People don't really want to go back to a time when the world was > simpler. They want to go back to a time when they didn't understand > how complicated the world has always been. */ > > > -Original Message- > From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] > On Behalf Of David Spiegel > Sent: Tuesday, July 7, 2020 18:15 > > "... But if you want to know all the kinds of access you have, you'd need to > ask the question three or four times, for read, update, execute and create. > ..." > > This statement is not true. > > I published an Assembler program and a Rexx Exec here on June 14. > My program has been placed on CBT File 836 (for now, it'
Re: ISPF 3.4 DSLIST questions
About 100 years ago I wrote such a program and did 4 calls, one each for ATTR=READ/UPDATE/CONTROL/ALTER. So either something new came out later, or I just didn't look hard enough :) I never thought of it as a big deal though, it's not like my program was getting called a million times a day. On 7/9/2020 1:29 AM, David Spiegel wrote: Hi Skip, My program does it in one call. Regards, David On 2020-07-09 00:20, Jesse 1 Robinson wrote: My experience with RACF echoes Bob Bridges, as does the excellent code sample from David Spiegel. A single call directly to RACF returns a yes/no for the level of access queried in that call. Ages ago I worked in an ASM2 shop. As I recall, ASM2 allowed a single call to determine the highest level of access allowed. In any case, it's a shame that RACF requires multiple calls. David's code appears to do that but masks it for the user. . . J.O.Skip Robinson Southern California Edison Company Electric Dragon Team Paddler SHARE MVS Program Co-Manager 323-715-0595 Mobile 626-543-6132 Office ⇐=== NEW robin...@sce.com -Original Message- From: IBM Mainframe Discussion List On Behalf Of Mike Hochee Sent: Wednesday, July 8, 2020 9:07 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: (External):Re: ISPF 3.4 DSLIST questions CAUTION EXTERNAL EMAIL Hi Bob, If was unfamiliar with assembler, I would not start by attempting to use RACROUTE macros, as the combination of the two is a lot to chew on IMO. RACSEQ is a TSO command/utility for RACF written by Bruce wells of IBM some years ago. Documentation and assembler source are available here... https://eur06.safelinks.protection.outlook.com/?url=ftp%3A%2F%2Fftp.www.ibm.com%2Fs390%2Fzos%2Fracf%2Fracseq%2FracseqReadMe.pdfdata=02%7C01%7C%7Cc1ba10f375ae4291954408d823bf7269%7C84df9e7fe9f640afb435%7C1%7C0%7C637298652463812056sdata=eEwr70f%2BfqMkQRw60AnpPPIXMcSfXd0BZUtBrqf0a8s%3Dreserved=0 It is certainly callable from Rexx and is something you can customize if desired. Rather than RACROUTE, the program makes use of the RACF R_admin callable service. RACF callable service functionality may map more closely to the kind of permission/resource related questions you posed. The RACF callable services are documented here... https://eur06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww-01.ibm.com%2Fservers%2Fresourcelink%2Fsvc00100.nsf%2Fpages%2FzOSV2R3sa232293%2F%24file%2Fichd100_v2r3.pdfdata=02%7C01%7C%7Cc1ba10f375ae4291954408d823bf7269%7C84df9e7fe9f640afb435%7C1%7C0%7C637298652463812056sdata=Pr3%2Ba4ktBbxfWgtzqsaVCF%2BvXMSMovGYt42sT1KOKCk%3Dreserved=0 HTH, Mike -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Bob Bridges Sent: Wednesday, July 8, 2020 7:04 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: ISPF 3.4 DSLIST questions Caution! This message was sent from outside your organization. I've been doing mainframe security for a few decades now, but I've never learned IBM's version of assembler (I still have ambitions of doing that eventually) so I may be mistaken about how RACROUTE works. But my impression is that the question the OS asks the security system might look like this: "About resource HLQ.XYZ in class DATASET, does ABC have UPDATE access to it?" In other words, the question specifies the class, the resource name, the user's ID and the level of access (READ or whatever), and the answer is a simple Yes or No (or in rare cases "I can't tell"). Am I mistaken in that? If not, then how do you learn what access ABC has to HLQ.XYZ without asking once for READ, once for UPDATE and so on? --- Bob Bridges, robhbrid...@gmail.com, cell 336 382-7313 /* People don't really want to go back to a time when the world was simpler. They want to go back to a time when they didn't understand how complicated the world has always been. */ -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of David Spiegel Sent: Tuesday, July 7, 2020 18:15 "... But if you want to know all the kinds of access you have, you'd need to ask the question three or four times, for read, update, execute and create. ..." This statement is not true. I published an Assembler program and a Rexx Exec here on June 14. My program has been placed on CBT File 836 (for now, it's in the Update section of the website). --- On 2020-07-07 17:45, Bob Bridges wrote: Nothing useful to say about your first question, but about the second: I can think of two ways to pull your access information for a list of datasets. 1) Query the system about which security app is running (RACF, ACF2 or TSS), then issue the commands and parse the output. Display only the brief results, eg "RW" for "read/write". I have a REXX that can tell you which security app is running, if you're interested. That involves a lot of coding. It might be
Re: ISPF 3.4 DSLIST questions
On Wed, Jul 8, 2020 at 6:04 PM Bob Bridges wrote: > I've been doing mainframe security for a few decades now, but I've never > learned IBM's version of assembler (I still have ambitions of doing that > eventually) so I may be mistaken about how RACROUTE works. But my > impression is that the question the OS asks the security system might look > like this: "About resource HLQ.XYZ in class DATASET, does ABC have > UPDATE access to it?" In other words, the question specifies the class, > the resource name, the user's ID and the level of access (READ or > whatever), and the answer is a simple Yes or No (or in rare cases "I can't > tell"). > > Am I mistaken in that? If not, then how do you learn what access ABC has > to HLQ.XYZ without asking once for READ, once for UPDATE and so on? > That's close. But the access is "hierarchical" ALTER access implies CONTROL access implies UPDATE access implies READ access. So if you want to know a person's access, you'd start at the most powerful and go downward. https://www.ibm.com/support/knowledgecenter/SSLTBW_2.1.0/com.ibm.zos.v2r1.ichc600/rrauthstd.htm ,ATTR=READ,ATTR=UPDATE,ATTR=CONTROL,ATTR=ALTER,ATTR=regspecifies the level of authority requested. RACF checks the resource profile protecting the resource identified by the ENTITY and CLASS keywords. The values have the following hierarchical order: - *READ* - *UPDATE* - *CONTROL* - *ALTER* That is, if a user has update authority and ATTR=READ is specified, RACF returns a return code of 0. If ATTR=CONTROL, RACF returns a return code of 8. *For multilevel secure environments*: 1. When ATTR=READ or ALTER, it will be treated as though it was a read-only request for purposes of mandatory access control (MAC) checking. 2. When ATTR=UPDATE or CONTROL, it will be treated as though it was a read-write request for purposes of mandatory access control (MAC) checking. If a register is specified, the register must contain one of the following codes in the low-order byte of the register:X'02'READX'04'UPDATEX'08'CONTROL X'80'ALTER The default is ATTR=READ. > > --- > Bob Bridges, robhbrid...@gmail.com, cell 336 382-7313 > > -- People in sleeping bags are the soft tacos of the bear world. Maranatha! <>< John McKown -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: ISPF 3.4 DSLIST questions
Hi Skip, My program does it in one call. Regards, David On 2020-07-09 00:20, Jesse 1 Robinson wrote: My experience with RACF echoes Bob Bridges, as does the excellent code sample from David Spiegel. A single call directly to RACF returns a yes/no for the level of access queried in that call. Ages ago I worked in an ASM2 shop. As I recall, ASM2 allowed a single call to determine the highest level of access allowed. In any case, it's a shame that RACF requires multiple calls. David's code appears to do that but masks it for the user. . . J.O.Skip Robinson Southern California Edison Company Electric Dragon Team Paddler SHARE MVS Program Co-Manager 323-715-0595 Mobile 626-543-6132 Office ⇐=== NEW robin...@sce.com -Original Message- From: IBM Mainframe Discussion List On Behalf Of Mike Hochee Sent: Wednesday, July 8, 2020 9:07 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: (External):Re: ISPF 3.4 DSLIST questions CAUTION EXTERNAL EMAIL Hi Bob, If was unfamiliar with assembler, I would not start by attempting to use RACROUTE macros, as the combination of the two is a lot to chew on IMO. RACSEQ is a TSO command/utility for RACF written by Bruce wells of IBM some years ago. Documentation and assembler source are available here... https://eur06.safelinks.protection.outlook.com/?url=ftp%3A%2F%2Fftp.www.ibm.com%2Fs390%2Fzos%2Fracf%2Fracseq%2FracseqReadMe.pdfdata=02%7C01%7C%7Cc1ba10f375ae4291954408d823bf7269%7C84df9e7fe9f640afb435%7C1%7C0%7C637298652463812056sdata=eEwr70f%2BfqMkQRw60AnpPPIXMcSfXd0BZUtBrqf0a8s%3Dreserved=0 It is certainly callable from Rexx and is something you can customize if desired. Rather than RACROUTE, the program makes use of the RACF R_admin callable service. RACF callable service functionality may map more closely to the kind of permission/resource related questions you posed. The RACF callable services are documented here... https://eur06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww-01.ibm.com%2Fservers%2Fresourcelink%2Fsvc00100.nsf%2Fpages%2FzOSV2R3sa232293%2F%24file%2Fichd100_v2r3.pdfdata=02%7C01%7C%7Cc1ba10f375ae4291954408d823bf7269%7C84df9e7fe9f640afb435%7C1%7C0%7C637298652463812056sdata=Pr3%2Ba4ktBbxfWgtzqsaVCF%2BvXMSMovGYt42sT1KOKCk%3Dreserved=0 HTH, Mike -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Bob Bridges Sent: Wednesday, July 8, 2020 7:04 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: ISPF 3.4 DSLIST questions Caution! This message was sent from outside your organization. I've been doing mainframe security for a few decades now, but I've never learned IBM's version of assembler (I still have ambitions of doing that eventually) so I may be mistaken about how RACROUTE works. But my impression is that the question the OS asks the security system might look like this: "About resource HLQ.XYZ in class DATASET, does ABC have UPDATE access to it?" In other words, the question specifies the class, the resource name, the user's ID and the level of access (READ or whatever), and the answer is a simple Yes or No (or in rare cases "I can't tell"). Am I mistaken in that? If not, then how do you learn what access ABC has to HLQ.XYZ without asking once for READ, once for UPDATE and so on? --- Bob Bridges, robhbrid...@gmail.com, cell 336 382-7313 /* People don't really want to go back to a time when the world was simpler. They want to go back to a time when they didn't understand how complicated the world has always been. */ -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of David Spiegel Sent: Tuesday, July 7, 2020 18:15 "... But if you want to know all the kinds of access you have, you'd need to ask the question three or four times, for read, update, execute and create. ..." This statement is not true. I published an Assembler program and a Rexx Exec here on June 14. My program has been placed on CBT File 836 (for now, it's in the Update section of the website). --- On 2020-07-07 17:45, Bob Bridges wrote: Nothing useful to say about your first question, but about the second: I can think of two ways to pull your access information for a list of datasets. 1) Query the system about which security app is running (RACF, ACF2 or TSS), then issue the commands and parse the output. Display only the brief results, eg "RW" for "read/write". I have a REXX that can tell you which security app is running, if you're interested. That involves a lot of coding. It might be simpler (if you can find a way to do it) to 2) do a RACROUTE query, since that sends the question to existing security system and returns simply 0 (access allowed), 8 (not allowed) or very rarely 4 (can't tell). But if you want to know all the kinds of access you have, you'd need to ask the question three or four times, for read, update, execute and create
Re: ISPF 3.4 DSLIST questions
My experience with RACF echoes Bob Bridges, as does the excellent code sample from David Spiegel. A single call directly to RACF returns a yes/no for the level of access queried in that call. Ages ago I worked in an ASM2 shop. As I recall, ASM2 allowed a single call to determine the highest level of access allowed. In any case, it's a shame that RACF requires multiple calls. David's code appears to do that but masks it for the user. . . J.O.Skip Robinson Southern California Edison Company Electric Dragon Team Paddler SHARE MVS Program Co-Manager 323-715-0595 Mobile 626-543-6132 Office ⇐=== NEW robin...@sce.com -Original Message- From: IBM Mainframe Discussion List On Behalf Of Mike Hochee Sent: Wednesday, July 8, 2020 9:07 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: (External):Re: ISPF 3.4 DSLIST questions CAUTION EXTERNAL EMAIL Hi Bob, If was unfamiliar with assembler, I would not start by attempting to use RACROUTE macros, as the combination of the two is a lot to chew on IMO. RACSEQ is a TSO command/utility for RACF written by Bruce wells of IBM some years ago. Documentation and assembler source are available here... ftp://ftp.www.ibm.com/s390/zos/racf/racseq/racseqReadMe.pdf It is certainly callable from Rexx and is something you can customize if desired. Rather than RACROUTE, the program makes use of the RACF R_admin callable service. RACF callable service functionality may map more closely to the kind of permission/resource related questions you posed. The RACF callable services are documented here... https://www-01.ibm.com/servers/resourcelink/svc00100.nsf/pages/zOSV2R3sa232293/$file/ichd100_v2r3.pdf HTH, Mike -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Bob Bridges Sent: Wednesday, July 8, 2020 7:04 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: ISPF 3.4 DSLIST questions Caution! This message was sent from outside your organization. I've been doing mainframe security for a few decades now, but I've never learned IBM's version of assembler (I still have ambitions of doing that eventually) so I may be mistaken about how RACROUTE works. But my impression is that the question the OS asks the security system might look like this: "About resource HLQ.XYZ in class DATASET, does ABC have UPDATE access to it?" In other words, the question specifies the class, the resource name, the user's ID and the level of access (READ or whatever), and the answer is a simple Yes or No (or in rare cases "I can't tell"). Am I mistaken in that? If not, then how do you learn what access ABC has to HLQ.XYZ without asking once for READ, once for UPDATE and so on? --- Bob Bridges, robhbrid...@gmail.com, cell 336 382-7313 /* People don't really want to go back to a time when the world was simpler. They want to go back to a time when they didn't understand how complicated the world has always been. */ -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of David Spiegel Sent: Tuesday, July 7, 2020 18:15 "... But if you want to know all the kinds of access you have, you'd need to ask the question three or four times, for read, update, execute and create. ..." This statement is not true. I published an Assembler program and a Rexx Exec here on June 14. My program has been placed on CBT File 836 (for now, it's in the Update section of the website). --- On 2020-07-07 17:45, Bob Bridges wrote: > Nothing useful to say about your first question, but about the second: I can > think of two ways to pull your access information for a list of datasets. > > 1) Query the system about which security app is running (RACF, ACF2 or TSS), > then issue the commands and parse the output. Display only the brief > results, eg "RW" for "read/write". I have a REXX that can tell you which > security app is running, if you're interested. > > That involves a lot of coding. It might be simpler (if you can find a way to > do it) to 2) do a RACROUTE query, since that sends the question to existing > security system and returns simply 0 (access allowed), 8 (not allowed) or > very rarely 4 (can't tell). But if you want to know all the kinds of access > you have, you'd need to ask the question three or four times, for read, > update, execute and create. > > And for both methods you'd have to do the query for every dataset in the > list. If you do long lists and/or do this often, it puts a burden on the > system that might get you talked about (and to) by the operations folks. > Probably not a good idea. > > -Original Message- > From: IBM Mainframe Discussion List On > Behalf Of Tim Hare > Sent: Tuesday, July 7, 2020 1:08 PM > > I have some questions about the ISPF 3.4 utility. > > 1. Why does 'Referred' show on the &q
Re: ISPF 3.4 DSLIST questions
Hi Bob, If was unfamiliar with assembler, I would not start by attempting to use RACROUTE macros, as the combination of the two is a lot to chew on IMO. RACSEQ is a TSO command/utility for RACF written by Bruce wells of IBM some years ago. Documentation and assembler source are available here... ftp://ftp.www.ibm.com/s390/zos/racf/racseq/racseqReadMe.pdf It is certainly callable from Rexx and is something you can customize if desired. Rather than RACROUTE, the program makes use of the RACF R_admin callable service. RACF callable service functionality may map more closely to the kind of permission/resource related questions you posed. The RACF callable services are documented here... https://www-01.ibm.com/servers/resourcelink/svc00100.nsf/pages/zOSV2R3sa232293/$file/ichd100_v2r3.pdf HTH, Mike -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Bob Bridges Sent: Wednesday, July 8, 2020 7:04 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: ISPF 3.4 DSLIST questions Caution! This message was sent from outside your organization. I've been doing mainframe security for a few decades now, but I've never learned IBM's version of assembler (I still have ambitions of doing that eventually) so I may be mistaken about how RACROUTE works. But my impression is that the question the OS asks the security system might look like this: "About resource HLQ.XYZ in class DATASET, does ABC have UPDATE access to it?" In other words, the question specifies the class, the resource name, the user's ID and the level of access (READ or whatever), and the answer is a simple Yes or No (or in rare cases "I can't tell"). Am I mistaken in that? If not, then how do you learn what access ABC has to HLQ.XYZ without asking once for READ, once for UPDATE and so on? --- Bob Bridges, robhbrid...@gmail.com, cell 336 382-7313 /* People don't really want to go back to a time when the world was simpler. They want to go back to a time when they didn't understand how complicated the world has always been. */ -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of David Spiegel Sent: Tuesday, July 7, 2020 18:15 "... But if you want to know all the kinds of access you have, you'd need to ask the question three or four times, for read, update, execute and create. ..." This statement is not true. I published an Assembler program and a Rexx Exec here on June 14. My program has been placed on CBT File 836 (for now, it's in the Update section of the website). --- On 2020-07-07 17:45, Bob Bridges wrote: > Nothing useful to say about your first question, but about the second: I can > think of two ways to pull your access information for a list of datasets. > > 1) Query the system about which security app is running (RACF, ACF2 or TSS), > then issue the commands and parse the output. Display only the brief > results, eg "RW" for "read/write". I have a REXX that can tell you which > security app is running, if you're interested. > > That involves a lot of coding. It might be simpler (if you can find a way to > do it) to 2) do a RACROUTE query, since that sends the question to existing > security system and returns simply 0 (access allowed), 8 (not allowed) or > very rarely 4 (can't tell). But if you want to know all the kinds of access > you have, you'd need to ask the question three or four times, for read, > update, execute and create. > > And for both methods you'd have to do the query for every dataset in the > list. If you do long lists and/or do this often, it puts a burden on the > system that might get you talked about (and to) by the operations folks. > Probably not a good idea. > > -Original Message- > From: IBM Mainframe Discussion List On > Behalf Of Tim Hare > Sent: Tuesday, July 7, 2020 1:08 PM > > I have some questions about the ISPF 3.4 utility. > > 1. Why does 'Referred' show on the "total" display for datasets, but if you > print the dataset list, you don't get it? > > 2. Are there ways to extend what is displayed? For one example: I > would like to have column for 'Your Access' that would show me what > RACF says my access is, rather than having to do LD DA(/) ALL GEN on > a line, and "suffer" through the TSO command output (as I've rarely > worked with ACF2 and never with Top Secret I don't know if such a > request can be done for 'generic security system') -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: ISPF 3.4 DSLIST questions
Hi Bob, Here is my RACROUTE program from CBT File 836: RACROUTE TITLE 'RACROUTE STATUS=ACCESS' * - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - * * * Author: David Spiegel * * Update: Sam Golob - June 17, 2020 * Return words instead of only the reason code. * * - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - * * * This program is meant to be used with the following REXX: * * /* rexx */ * Arg dsn * Address TSO "Call *(Racrout) '"dsn"'" * * - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - * RACROUTE CSECT , RACROUTE AMODE 31 RACROUTE RMODE ANY SAVE (14,12),,RACROUTE. Save caller's regs. LR R12,R15 Load address of entry point USING RACROUTE,R12 Give assembler program's base reg. * LR R11,R1 Save Pointer to Parameter Address Blk USING ARGS,R11 * GETMAIN R,LV=SAVESIZE,LOC=BELOW XC 0(CLEARSIZ,R1),0(R1) Clear the save/work area ST R1,8(,R13) Save new save area addr.in old area ST R13,4(,R1) Save old save area addr.in new area LR R13,R1 Replace old save area with new one USING SAVEAREA,R13 Tell assembler about save area * * * L R11,0(,R11) LH R5,0(,R11) C R5,=F'0' PARM? BE RETURN No, RETURN * BCTR R5,0 EX R5,MVC B CONTINUE * MVC MVC THEENT(*-*),2(R11) * * * CONTINUE DS 0F RACROUTE REQUEST=AUTH, x RELEASE=1.9, x STATUS=ACCESS, x CLASS='DATASET', x ATTR=UPDATE, x ENTITY=THEENT,VOLSER=THEVOL, x WORKA=SAFWORKA LM R3,R4,CONTINUE+4 Save Return Code, Reason Code ST R4,SAVER4A * * * RETURN DS 0H * WTO 'RACROUTE About to Exit' L R4,SAVER4A B *+4(R4) B NONE B READ B UPDATE B CONTROL B ALTER B OUTFREE B OUTFREE OUTFREE DS 0H LR R1,R13 Save old save area addr. for FREEMAIN L R13,4(,R13) Restore old save area address FREEMAIN R,LV=SAVESIZE,A=(1) EXIT DS 0H * SLR R15,R15 Set a return code of zero LR R15,R4 Return with Reason Code RETURN (14,12),RC=(15) Return to caller, return code zero * NONE DS 0H MVI OUTLINE-1,X'40' MVC OUTLINE,OUTLINE-1 MVC OUTLINE,=CL17'Access is NONE ' TPUT OUTLINE,17 B OUTFREE READ DS 0H MVI OUTLINE-1,X'40' MVC OUTLINE,OUTLINE-1 MVC OUTLINE,=CL8'READ' MVC OUTLINE,=CL17'Access is READ ' TPUT OUTLINE,17 B OUTFREE UPDATE DS 0H MVI OUTLINE-1,X'40' MVC OUTLINE,OUTLINE-1 MVC OUTLINE,=CL17'Access is UPDATE ' TPUT OUTLINE,17 B OUTFREE CONTROL DS 0H MVI OUTLINE-1,X'40' MVC OUTLINE,OUTLINE-1 MVC OUTLINE,=CL17'Access is CONTROL' TPUT OUTLINE,17 B OUTFREE ALTER DS 0H MVI OUTLINE-1,X'40' MVC OUTLINE,OUTLINE-1 MVC OUTLINE,=CL17'Access is ALTER ' TPUT OUTLINE,17 B OUTFREE * * * DS 0D SAFWORKA DS CL512 THEENT DC CL44' ' THEVOL DC CL6'THEVOL' * * * SAVEAREA DSECT , Register save area and work area DS 18F Register save area CLEARSIZ EQU *-SAVEAREA Save and work area size DS X OUTLINE DS CL19 SAVER4A DS F RECORD DS 0CL16 USERID DS CL8 PASSWORD DS CL8 RECSIZE EQU *-RECORD WTO0 WTO ' ',X MF=L WTO0L EQU *-WTO0 SAVESIZE EQU *-SAVEAREA Save and work area size * * * ARGS DSECT DS 0D LENGTH DS H DSNAME DS CL44 Dataset Name to Check YREGS END Please run my RACROUTE program by calling it with this Rexx EXEC: /* Rexx */ /* Trace I */ /* Return Codes from RACROUTE: 00 The user has no access. 04 The user has READ authority. 08 The user has UPDATE authority. 0C The user has CONTROL authority. 10 The user has ALTER authority https://www.ibm.com/support/knowledgecenter/SSLTBW_2.1.0/com.ibm.zos. v2r1.ichc600/ich2c6_Return_codes_and_reason_codes1.htm */ Arg dsn Address TSO "Call *(Racroute) '"dsn"'" Say rc Please note that the Load Module must be in a //STEPLIB to LNKLST. If not, you can specify the PDS where it resides: Address TSO "Call 'USER.LOAD(Racroute)' '"dsn"'" Regards, David On 2020-07-08 19:03, Bob Bridges wrote: I've been doing mainframe security for a few decades now, but I've never learned IBM's version of assembler (I still
Re: ISPF 3.4 DSLIST questions
I've been doing mainframe security for a few decades now, but I've never learned IBM's version of assembler (I still have ambitions of doing that eventually) so I may be mistaken about how RACROUTE works. But my impression is that the question the OS asks the security system might look like this: "About resource HLQ.XYZ in class DATASET, does ABC have UPDATE access to it?" In other words, the question specifies the class, the resource name, the user's ID and the level of access (READ or whatever), and the answer is a simple Yes or No (or in rare cases "I can't tell"). Am I mistaken in that? If not, then how do you learn what access ABC has to HLQ.XYZ without asking once for READ, once for UPDATE and so on? --- Bob Bridges, robhbrid...@gmail.com, cell 336 382-7313 /* People don't really want to go back to a time when the world was simpler. They want to go back to a time when they didn't understand how complicated the world has always been. */ -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of David Spiegel Sent: Tuesday, July 7, 2020 18:15 "... But if you want to know all the kinds of access you have, you'd need to ask the question three or four times, for read, update, execute and create. ..." This statement is not true. I published an Assembler program and a Rexx Exec here on June 14. My program has been placed on CBT File 836 (for now, it's in the Update section of the website). --- On 2020-07-07 17:45, Bob Bridges wrote: > Nothing useful to say about your first question, but about the second: I can > think of two ways to pull your access information for a list of datasets. > > 1) Query the system about which security app is running (RACF, ACF2 or TSS), > then issue the commands and parse the output. Display only the brief > results, eg "RW" for "read/write". I have a REXX that can tell you which > security app is running, if you're interested. > > That involves a lot of coding. It might be simpler (if you can find a way to > do it) to 2) do a RACROUTE query, since that sends the question to existing > security system and returns simply 0 (access allowed), 8 (not allowed) or > very rarely 4 (can't tell). But if you want to know all the kinds of access > you have, you'd need to ask the question three or four times, for read, > update, execute and create. > > And for both methods you'd have to do the query for every dataset in the > list. If you do long lists and/or do this often, it puts a burden on the > system that might get you talked about (and to) by the operations folks. > Probably not a good idea. > > -Original Message- > From: IBM Mainframe Discussion List On Behalf Of > Tim Hare > Sent: Tuesday, July 7, 2020 1:08 PM > > I have some questions about the ISPF 3.4 utility. > > 1. Why does 'Referred' show on the "total" display for datasets, but if you > print the dataset list, you don't get it? > > 2. Are there ways to extend what is displayed? For one example: I would > like to have column for 'Your Access' that would show me what RACF says my > access is, rather than having to do LD DA(/) ALL GEN on a line, and "suffer" > through the TSO command output (as I've rarely worked with ACF2 and never > with Top Secret I don't know if such a request can be done for 'generic > security system') -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: ISPF 3.4 DSLIST questions
Hi Bob, "... But if you want to know all the kinds of access you have, you'd need to ask the question three or four times, for read, update, execute and create. ..." This statement is not true. I published an Assembler program and a Rexx Exec here on June 14. My program has been placed on CBT File 836 (for now, it's in the Update section of the website). Regards, David On 2020-07-07 17:45, Bob Bridges wrote: Nothing useful to say about your first question, but about the second: I can think of two ways to pull your access information for a list of datasets. 1) Query the system about which security app is running (RACF, ACF2 or TSS), then issue the commands and parse the output. Display only the brief results, eg "RW" for "read/write". I have a REXX that can tell you which security app is running, if you're interested. That involves a lot of coding. It might be simpler (if you can find a way to do it) to 2) do a RACROUTE query, since that sends the question to existing security system and returns simply 0 (access allowed), 8 (not allowed) or very rarely 4 (can't tell). But if you want to know all the kinds of access you have, you'd need to ask the question three or four times, for read, update, execute and create. And for both methods you'd have to do the query for every dataset in the list. If you do long lists and/or do this often, it puts a burden on the system that might get you talked about (and to) by the operations folks. Probably not a good idea. --- Bob Bridges, robhbrid...@gmail.com, cell 336 382-7313 /* People don't really want to go back to a time when the world was simpler. They want to go back to a time when they didn't understand how complicated the world has always been. */ -Original Message- From: IBM Mainframe Discussion List On Behalf Of Tim Hare Sent: Tuesday, July 7, 2020 1:08 PM I have some questions about the ISPF 3.4 utility. 1. Why does 'Referred' show on the "total" display for datasets, but if you print the dataset list, you don't get it? 2. Are there ways to extend what is displayed? For one example: I would like to have column for 'Your Access' that would show me what RACF says my access is, rather than having to do LD DA(/) ALL GEN on a line, and "suffer" through the TSO command output (as I've rarely worked with ACF2 and never with Top Secret I don't know if such a request can be done for 'generic security system') -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN . -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: ISPF 3.4 DSLIST questions
Nothing useful to say about your first question, but about the second: I can think of two ways to pull your access information for a list of datasets. 1) Query the system about which security app is running (RACF, ACF2 or TSS), then issue the commands and parse the output. Display only the brief results, eg "RW" for "read/write". I have a REXX that can tell you which security app is running, if you're interested. That involves a lot of coding. It might be simpler (if you can find a way to do it) to 2) do a RACROUTE query, since that sends the question to existing security system and returns simply 0 (access allowed), 8 (not allowed) or very rarely 4 (can't tell). But if you want to know all the kinds of access you have, you'd need to ask the question three or four times, for read, update, execute and create. And for both methods you'd have to do the query for every dataset in the list. If you do long lists and/or do this often, it puts a burden on the system that might get you talked about (and to) by the operations folks. Probably not a good idea. --- Bob Bridges, robhbrid...@gmail.com, cell 336 382-7313 /* People don't really want to go back to a time when the world was simpler. They want to go back to a time when they didn't understand how complicated the world has always been. */ -Original Message- From: IBM Mainframe Discussion List On Behalf Of Tim Hare Sent: Tuesday, July 7, 2020 1:08 PM I have some questions about the ISPF 3.4 utility. 1. Why does 'Referred' show on the "total" display for datasets, but if you print the dataset list, you don't get it? 2. Are there ways to extend what is displayed? For one example: I would like to have column for 'Your Access' that would show me what RACF says my access is, rather than having to do LD DA(/) ALL GEN on a line, and "suffer" through the TSO command output (as I've rarely worked with ACF2 and never with Top Secret I don't know if such a request can be done for 'generic security system') -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: ISPF 3.4 DSLIST questions
You'd have to write your own. You can start with LMDLIST and then add your other info to generate a table display. Lionel B. Dyck < Website: https://www.lbdsoftware.com "Worry more about your character than your reputation. Character is what you are, reputation merely what others think you are." - John Wooden -Original Message- From: IBM Mainframe Discussion List On Behalf Of Tim Hare Sent: Tuesday, July 7, 2020 1:08 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: ISPF 3.4 DSLIST questions I have some questions about the ISPF 3.4 utility. 1. Why does 'Referred' show on the "total" display for datasets, but if you print the dataset list, you don't get it? 2. Are there ways to extend what is displayed? For one example: I would like to have column for 'Your Access' that would show me what RACF says my access is, rather than having to do LD DA(/) ALL GEN on a line, and "suffer" through the TSO command output (as I've rarely worked with ACF2 and never with Top Secret I don't know if such a request can be done for 'generic security system') -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
