One major difference. In CICS, the query security is for a subset of RACF information, and is already running in the proper environment, ie CICS, and is using the logged on userid's ACEE. You cannot issue a query security to see if another user has the authority, and you also cannot check for access to non-CICS resources. Because of things like PADS or WHEN() processing, it is hard to guarantee that you can get the same answer if the environment is different.
Wayne Driscoll Product Developer [EMAIL PROTECTED] (Direct) (630) 663-0719 (Mobile) (630) 247-1632 -----Original Message----- From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of Randy Evans Sent: Monday, February 25, 2008 9:05 AM To: [email protected] Subject: Re: Newbie RACROUTE question: how to *test* authorization? >> >>>One could argue that letting you determine your access to resources >>>without actually trying to use them (and thus without causing audit >>>records) is a form of hacking. >> >>Perhaps, but some IBM code does exactly that, and for what seems to be >>good cause. I don't recall the details, but it was discussed here in the >>last few years. >> > >You may be thinking of ISPF 3.4 and data set name hiding or may be >thinking of ISPF 3.4 checking for ALTER access to the catalog. > Following extracted from the CICS/TS RACF Security Guide: "2.7.6.2 Checking which transactions to offer a user You can use the QUERY SECURITY command to check whether a user is authorized to use a particular transaction before displaying the transaction code as part of an introductory menu. When you use the command for this purpose, you will probably want to avoid logging the checks for users who are not allowed to use certain transactions. To do this, use the NOLOG option." ...and the QUERY SECURITY command invokes a RACROUTE to perform this function. So CICS is documenting use of preemptive RACROUTE requests as reasonable design in presenting usable options on a user's menu. Randy Evans, Viaserv, Inc. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
