One call to your program, or one call to RACF? . . J.O.Skip Robinson Southern California Edison Company Electric Dragon Team Paddler SHARE MVS Program Co-Manager 323-715-0595 Mobile 626-543-6132 Office ⇐=== NEW robin...@sce.com
-----Original Message----- From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> On Behalf Of David Spiegel Sent: Thursday, July 9, 2020 1:30 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: (External):Re: ISPF 3.4 DSLIST questions CAUTION EXTERNAL EMAIL Hi Skip, My program does it in one call. Regards, David On 2020-07-09 00:20, Jesse 1 Robinson wrote: > My experience with RACF echoes Bob Bridges, as does the excellent code sample > from David Spiegel. A single call directly to RACF returns a yes/no for the > level of access queried in that call. > > Ages ago I worked in an ASM2 shop. As I recall, ASM2 allowed a single call to > determine the highest level of access allowed. In any case, it's a shame that > RACF requires multiple calls. David's code appears to do that but masks it > for the user. > > . > . > J.O.Skip Robinson > Southern California Edison Company > Electric Dragon Team Paddler > SHARE MVS Program Co-Manager > 323-715-0595 Mobile > 626-543-6132 Office ⇐=== NEW > robin...@sce.com > > -----Original Message----- > From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> On > Behalf Of Mike Hochee > Sent: Wednesday, July 8, 2020 9:07 PM > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: (External):Re: ISPF 3.4 DSLIST questions > > CAUTION EXTERNAL EMAIL > > Hi Bob, > > If was unfamiliar with assembler, I would not start by attempting to use > RACROUTE macros, as the combination of the two is a lot to chew on IMO. > > RACSEQ is a TSO command/utility for RACF written by Bruce wells of IBM > some years ago. Documentation and assembler source are available > here... > https://eur06.safelinks.protection.outlook.com/?url=ftp%3A%2F%2Fftp.ww > w.ibm.com%2Fs390%2Fzos%2Fracf%2Fracseq%2FracseqReadMe.pdf&data=02% > 7C01%7C%7Cc1ba10f375ae4291954408d823bf7269%7C84df9e7fe9f640afb435aaaaa > aaaaaaa%7C1%7C0%7C637298652463812056&sdata=eEwr70f%2BfqMkQRw60AnpP > PIXMcSfXd0BZUtBrqf0a8s%3D&reserved=0 It is certainly callable > from Rexx and is something you can customize if desired. Rather than > RACROUTE, the program makes use of the RACF R_admin callable service. > RACF callable service functionality may map more closely to the kind > of permission/resource related questions you posed. The RACF callable > services are documented here... > https://eur06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww- > 01.ibm.com%2Fservers%2Fresourcelink%2Fsvc00100.nsf%2Fpages%2FzOSV2R3sa > 232293%2F%24file%2Fichd100_v2r3.pdf&data=02%7C01%7C%7Cc1ba10f375ae > 4291954408d823bf7269%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C6372 > 98652463812056&sdata=Pr3%2Ba4ktBbxfWgtzqsaVCF%2BvXMSMovGYt42sT1KOK > Ck%3D&reserved=0 > > HTH, > Mike > > -----Original Message----- > From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] > On Behalf Of Bob Bridges > Sent: Wednesday, July 8, 2020 7:04 PM > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: Re: ISPF 3.4 DSLIST questions > > Caution! This message was sent from outside your organization. > > I've been doing mainframe security for a few decades now, but I've never > learned IBM's version of assembler (I still have ambitions of doing that > eventually) so I may be mistaken about how RACROUTE works. But my impression > is that the question the OS asks the security system might look like this: > "About resource HLQ.XYZ in class DATASET, does ABC have UPDATE access to it?" > In other words, the question specifies the class, the resource name, the > user's ID and the level of access (READ or whatever), and the answer is a > simple Yes or No (or in rare cases "I can't tell"). > > Am I mistaken in that? If not, then how do you learn what access ABC has to > HLQ.XYZ without asking once for READ, once for UPDATE and so on? > > --- > Bob Bridges, robhbrid...@gmail.com, cell 336 382-7313 > > /* People don't really want to go back to a time when the world was > simpler. They want to go back to a time when they didn't understand > how complicated the world has always been. */ > > > -----Original Message----- > From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] > On Behalf Of David Spiegel > Sent: Tuesday, July 7, 2020 18:15 > > "... But if you want to know all the kinds of access you have, you'd need to > ask the question three or four times, for read, update, execute and create. > ..." > > This statement is not true. > > I published an Assembler program and a Rexx Exec here on June 14. > My program has been placed on CBT File 836 (for now, it's in the Update > section of the website). > > --- On 2020-07-07 17:45, Bob Bridges wrote: >> Nothing useful to say about your first question, but about the second: I >> can think of two ways to pull your access information for a list of datasets. >> >> 1) Query the system about which security app is running (RACF, ACF2 or TSS), >> then issue the commands and parse the output. Display only the brief >> results, eg "RW" for "read/write". I have a REXX that can tell you which >> security app is running, if you're interested. >> >> That involves a lot of coding. It might be simpler (if you can find a way >> to do it) to 2) do a RACROUTE query, since that sends the question to >> existing security system and returns simply 0 (access allowed), 8 (not >> allowed) or very rarely 4 (can't tell). But if you want to know all the >> kinds of access you have, you'd need to ask the question three or four >> times, for read, update, execute and create. >> >> And for both methods you'd have to do the query for every dataset in the >> list. If you do long lists and/or do this often, it puts a burden on the >> system that might get you talked about (and to) by the operations folks. >> Probably not a good idea. >> >> -----Original Message----- >> From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> On >> Behalf Of Tim Hare >> Sent: Tuesday, July 7, 2020 1:08 PM >> >> I have some questions about the ISPF 3.4 utility. >> >> 1. Why does 'Referred' show on the "total" display for datasets, but if you >> print the dataset list, you don't get it? >> >> 2. Are there ways to extend what is displayed? For one example: I >> would like to have column for 'Your Access' that would show me what >> RACF says my access is, rather than having to do LD DA(/) ALL GEN on >> a line, and "suffer" through the TSO command output (as I've rarely >> worked with ACF2 and never with Top Secret I don't know if such a >> request can be done for 'generic security system') > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN