Re: Mainframe user ID length

Sat, 02 May 2020 13:26:58 -0700 

> You talk about authenticating with a certificate, but how would
permissions work in that case?

FWIW, authentication ("signing on") and authorization ("permissions") are
separate issues. RACF (and its sisters) do both, so it is easy to run them
together, but they are separate issues.* You are correct -- one might
authenticate with an iris scanner, but you still need a decision "can Bob
update SYS1.LINKLIB or not?"

RACROUTE takes a USERID of up to 8 characters, but generally works not
directly from a USERID but rather from an existing ACEE. But yes, the ACEE
includes -- you guessed it -- the basic 1+8 USERID. Not every ACEE has a
USERID filled in, so perhaps -- perhaps, I don't know -- perhaps one could
go from certificate authentication to an ACEE to authorization.

*I heard Barry Shrager, a father of mainframe security, say words to the
effect that authentication is the more important issue, because without good
authentication that you really are RBRIDGES, what difference does it make
what resources RBRIDGES has access to?

Charles

-----Original Message-----
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On
Behalf Of Bob Bridges
Sent: Saturday, May 2, 2020 11:10 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Mainframe user ID length

But...but...  (Still expostulating, here, you see.)  When I want to open a
dataset for editing in TSO, the OS sends a question to the security system,
asking "is <Bob Bridges> allowed <this level of access> to <this dataset>?".
To identify <Bob Bridges> it specifies my ID.  The question is routed to
RACF, ACF2 or Top Secret, and the part of the OS that is performing the
action doesn't know and doesn't care which one - but before it performs the
open, it requires an answer from the security system, and all three of them
have an 8-byte limit on the ID.

You talk about authenticating with a certificate, but how would permissions
work in that case?  Isn't RACROUTE the funneling point for all such checks?
And doesn't RACROUTE require an 8-byte ID to identify the actor?

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Reply via email to