Deepest apologies to David Spiegel. And to IBM. I never noticed the ACCESS option on the RACROUTE macro even though it's been there for a lonnnnng time. RACF 1.9 is pretty hoary.
So David's program is a nifty way to get the highest level of access allowed with a single call to RACF. I'm not sure what OP's requirement is for various users. A lot of RACF inquiries are based on the current (issuing) user unless some other user's ACEE is specified. That generally requires running APF authorized. . . J.O.Skip Robinson Southern California Edison Company Electric Dragon Team Paddler SHARE MVS Program Co-Manager 323-715-0595 Mobile 626-543-6132 Office ⇐=== NEW robin...@sce.com -----Original Message----- From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> On Behalf Of Lou Losee Sent: Thursday, July 9, 2020 11:58 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: (External):Re: ISPF 3.4 DSLIST questions CAUTION EXTERNAL EMAIL One call to RACF - according to the description for the STATUS=ACCESS keyword on the RACROUTE REQUEST=AUTH macro in the RACROUTE manual: ACCESS - The request is simply to return the user's highest current access to the resource specified. Upon successful completion, the user's access is returned in the RACF reason code. No auditing is done for this request. Note: 1. If the ATTR= keyword is specified along with STATUS=ACCESS, the ATTR= keyword is ignored. 2. To use the STATUS=ACCESS keyword, you must specify RELEASE=1.9 or later. Lou -- Artificial Intelligence is no match for Natural Stupidity - Unknown On Thu, Jul 9, 2020 at 1:25 PM Jesse 1 Robinson <jesse1.robin...@sce.com> wrote: > One call to your program, or one call to RACF? > > . > . > J.O.Skip Robinson > Southern California Edison Company > Electric Dragon Team Paddler > SHARE MVS Program Co-Manager > 323-715-0595 Mobile > 626-543-6132 Office ⇐=== NEW > robin...@sce.com > > -----Original Message----- > From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> On > Behalf Of David Spiegel > Sent: Thursday, July 9, 2020 1:30 AM > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: (External):Re: ISPF 3.4 DSLIST questions > > CAUTION EXTERNAL EMAIL > > Hi Skip, > My program does it in one call. > > Regards, > David > > On 2020-07-09 00:20, Jesse 1 Robinson wrote: > > My experience with RACF echoes Bob Bridges, as does the excellent > > code > sample from David Spiegel. A single call directly to RACF returns a > yes/no for the level of access queried in that call. > > > > Ages ago I worked in an ASM2 shop. As I recall, ASM2 allowed a > > single > call to determine the highest level of access allowed. In any case, > it's a shame that RACF requires multiple calls. David's code appears > to do that but masks it for the user. > > > > . > > . > > J.O.Skip Robinson > > Southern California Edison Company > > Electric Dragon Team Paddler > > SHARE MVS Program Co-Manager > > 323-715-0595 Mobile > > 626-543-6132 Office ⇐=== NEW > > robin...@sce.com > > > > -----Original Message----- > > From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> On > > Behalf Of Mike Hochee > > Sent: Wednesday, July 8, 2020 9:07 PM > > To: IBM-MAIN@LISTSERV.UA.EDU > > Subject: (External):Re: ISPF 3.4 DSLIST questions > > > > CAUTION EXTERNAL EMAIL > > > > Hi Bob, > > > > If was unfamiliar with assembler, I would not start by attempting to > > use > RACROUTE macros, as the combination of the two is a lot to chew on IMO. > > > > RACSEQ is a TSO command/utility for RACF written by Bruce wells of > > IBM some years ago. Documentation and assembler source are available > > here... > > https://eur06.safelinks.protection.outlook.com/?url=ftp%3A%2F%2Fftp. > > ww > > w.ibm.com%2Fs390%2Fzos%2Fracf%2Fracseq%2FracseqReadMe.pdf&data=0 > > 2% > > 7C01%7C%7Cc1ba10f375ae4291954408d823bf7269%7C84df9e7fe9f640afb435aaa > > aa > > aaaaaaa%7C1%7C0%7C637298652463812056&sdata=eEwr70f%2BfqMkQRw60An > > pP > > PIXMcSfXd0BZUtBrqf0a8s%3D&reserved=0 It is certainly callable > > from Rexx and is something you can customize if desired. Rather > > than RACROUTE, the program makes use of the RACF R_admin callable service. > > RACF callable service functionality may map more closely to the kind > > of permission/resource related questions you posed. The RACF > > callable services are documented here... > > https://eur06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fww > > w- > > 01.ibm.com%2Fservers%2Fresourcelink%2Fsvc00100.nsf%2Fpages%2FzOSV2R3 > > sa > > 232293%2F%24file%2Fichd100_v2r3.pdf&data=02%7C01%7C%7Cc1ba10f375 > > ae > > 4291954408d823bf7269%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C63 > > 72 > > 98652463812056&sdata=Pr3%2Ba4ktBbxfWgtzqsaVCF%2BvXMSMovGYt42sT1K > > OK > > Ck%3D&reserved=0 > > > > HTH, > > Mike > > > > -----Original Message----- > > From: IBM Mainframe Discussion List > > [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Bob Bridges > > Sent: Wednesday, July 8, 2020 7:04 PM > > To: IBM-MAIN@LISTSERV.UA.EDU > > Subject: Re: ISPF 3.4 DSLIST questions > > > > Caution! This message was sent from outside your organization. > > > > I've been doing mainframe security for a few decades now, but I've > > never > learned IBM's version of assembler (I still have ambitions of doing > that > eventually) so I may be mistaken about how RACROUTE works. But my > impression is that the question the OS asks the security system might > look like this: "About resource HLQ.XYZ in class DATASET, does ABC > have UPDATE access to it?" In other words, the question specifies the > class, the resource name, the user's ID and the level of access (READ > or whatever), and the answer is a simple Yes or No (or in rare cases > "I can't tell"). > > > > Am I mistaken in that? If not, then how do you learn what access > > ABC > has to HLQ.XYZ without asking once for READ, once for UPDATE and so on? > > > > --- > > Bob Bridges, robhbrid...@gmail.com, cell 336 382-7313 > > > > /* People don't really want to go back to a time when the world was > > simpler. They want to go back to a time when they didn't understand > > how complicated the world has always been. */ > > > > > > -----Original Message----- > > From: IBM Mainframe Discussion List > > [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of David Spiegel > > Sent: Tuesday, July 7, 2020 18:15 > > > > "... But if you want to know all the kinds of access you have, > > you'd > need to ask the question three or four times, for read, update, > execute and create. ..." > > > > This statement is not true. > > > > I published an Assembler program and a Rexx Exec here on June 14. > > My program has been placed on CBT File 836 (for now, it's in the > > Update > section of the website). > > > > --- On 2020-07-07 17:45, Bob Bridges wrote: > >> Nothing useful to say about your first question, but about the second: > I can think of two ways to pull your access information for a list of > datasets. > >> > >> 1) Query the system about which security app is running (RACF, ACF2 > >> or > TSS), then issue the commands and parse the output. Display only the > brief results, eg "RW" for "read/write". I have a REXX that can tell > you which security app is running, if you're interested. > >> > >> That involves a lot of coding. It might be simpler (if you can > >> find a > way to do it) to 2) do a RACROUTE query, since that sends the question > to existing security system and returns simply 0 (access allowed), 8 > (not > allowed) or very rarely 4 (can't tell). But if you want to know all > the kinds of access you have, you'd need to ask the question three or > four times, for read, update, execute and create. > >> > >> And for both methods you'd have to do the query for every dataset > >> in > the list. If you do long lists and/or do this often, it puts a burden > on the system that might get you talked about (and to) by the > operations folks. Probably not a good idea. > >> > >> -----Original Message----- > >> From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> On > >> Behalf Of Tim Hare > >> Sent: Tuesday, July 7, 2020 1:08 PM > >> > >> I have some questions about the ISPF 3.4 utility. > >> > >> 1. Why does 'Referred' show on the "total" display for datasets, > >> but > if you print the dataset list, you don't get it? > >> > >> 2. Are there ways to extend what is displayed? For one example: I > >> would like to have column for 'Your Access' that would show me > >> what RACF says my access is, rather than having to do LD DA(/) ALL > >> GEN on a line, and "suffer" through the TSO command output (as > >> I've rarely worked with ACF2 and never with Top Secret I don't know > >> if such a request can be done for 'generic security system') ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
