So maybe - maybe, I don't know either - if I sign on to z/OS with a certificate, or LDAP, or anything other than the usual, the sign-on routine MAKES UP an 8-byte ID and stores it in the ACEE. If so, after that everything works fine, I guess.
--- Bob Bridges, robhbrid...@gmail.com, cell 336 382-7313 /* Democracy is where you can say what you think even if you don't think. */ -----Original Message----- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Charles Mills Sent: Saturday, May 2, 2020 16:26 FWIW, authentication ("signing on") and authorization ("permissions") are separate issues. RACF (and its sisters) do both, so it is easy to run them together, but they are separate issues.* You are correct -- one might authenticate with an iris scanner, but you still need a decision "can Bob update SYS1.LINKLIB or not?" RACROUTE takes a USERID of up to 8 characters, but generally works not directly from a USERID but rather from an existing ACEE. But yes, the ACEE includes -- you guessed it -- the basic 1+8 USERID. Not every ACEE has a USERID filled in, so perhaps -- perhaps, I don't know -- perhaps one could go from certificate authentication to an ACEE to authorization. *I heard Barry Shrager, a father of mainframe security, say words to the effect that authentication is the more important issue, because without good authentication that you really are RBRIDGES, what difference does it make what resources RBRIDGES has access to? -----Original Message----- From: Bob Bridges Sent: Saturday, May 2, 2020 11:10 AM But...but... (Still expostulating, here, you see.) When I want to open a dataset for editing in TSO, the OS sends a question to the security system, asking "is <Bob Bridges> allowed <this level of access> to <this dataset>?". To identify <Bob Bridges> it specifies my ID. The question is routed to RACF, ACF2 or Top Secret, and the part of the OS that is performing the action doesn't know and doesn't care which one - but before it performs the open, it requires an answer from the security system, and all three of them have an 8-byte limit on the ID. You talk about authenticating with a certificate, but how would permissions work in that case? Isn't RACROUTE the funneling point for all such checks? And doesn't RACROUTE require an 8-byte ID to identify the actor? ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN