On Mon, 21 Feb 2022, at 12:38, Erik Janssen wrote: > Hello List, > > We are creating some APIs with python flask running on z/os (some in > combination with z open automation utilities in order to drive existing > rexx / ispf edit macro logic) and that is looking very promising. In > order to properly protect those APIs I am trying to create a > authorization API ...
A long time ago I wrote an ispf dialog, using rexx and edit macros, and had to control what options users could pick within that. I used a small assembler program to check (in our case) ACF2 resource rules. However a determined user could have worked around that, eg by editing control files (which the edit macros normally updated) by hand, perhaps in a split-screen while the user-facing dialog was running, so at that stage in the system those rules were really just guiding what a user could try to do. At points in the ispf dialog, it issued WTOs which SA/390 automation responded to (if they came from people entitled to issue them). It'd start started tasks with suitable parameters, to pick up the just-edited request files and do stuff. The WTOs said in them which user was making a request, but that was a deliberate trap; obviously SA/390 knew who'd run the program that issued the WTOs. If that wasn't the named-userid we'd know at once that someone was trying to beat the system. The started tasks re-checked the resource rules to determine whether the things being asked for were actually allowed. Whereas "clever" users could have got around the dialog-controlled stuff, they couldn't change what the STC would do. Depending on what your system does you may need some similar logic. -- Jeremy Nicoll - my opinions are my own. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
