Command-level Assembler Resource Rule Example
A command-level Assembler resource rule example follows:
FUNCT CLI TYPE,C'A' TEST RECALCULATE
FUNCTION BNE OTHER IF NOT, BYPASS
* THE FOLLOWING ROUTINE WILL RECALCULATE PAYROLL AMOUNTS.
* CALL CA ACF2 TO DETERMINE IF USER IS ABLE TO DO THIS FUNCTION.
* DO NOT ABEND IF VIOLATION, JUST TELL US SO WE CAN CONTINUE.
UPDAMTS MVI UCRSCREQ,UCRSCRIN SET TO DO RULE INTERPRET
MVC UCRSCTNM,=CL8'PAYROLL' SET PAYROLL RESOURCE
MVC UCRSCNME,=CL40'RECALCULATE' SET FUNCTION CODE
MVI UCRSCAC,UCRSCAAC SET FOR GENERAL ACCESS
MVI UCRSCVER,UCRSCVEY LET CA ACF2 VERIFY PASSWORD
MVI UCRSCABD,UCRSCABN DO NOT ABEND IF VIOLATION
EXEC CICS LINK LINK TO CA ACF2 CICS X
PROGRAM('ACFAEUCC') X
COMMAREA(ACFAEUCR) X
LENGTH(512)
MVC MSG1(L'UCRSCMTX),UCRSCMTX MOVE IN MESSAGE
CLI UCRSCRC,UCRSCRA TEST ACCESS ALLOWED
BE DOIT IF SO, LET IT RUN
MVC MSG2(43),=C'USER NOT AUTHORIZED TO UPDATE AMOUNT
FIELDS'
B SCREEN DISPLAY AND GET NEXT REQUEST.
* CA ACF2 PERMITS THIS, SO CONTINUE PAYROLL AMOUNT CHANGES. DOIT DS OH ROUTINE
TO PROCESS PAYROLL AMOUNT FIELDS.
-----Original Message-----
From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf
Of Jesse 1 Robinson
Sent: Thursday, April 6, 2017 3:30 PM
To: [email protected]
Subject: Re: Do you use CA-ACF2 and CICS or IMS? Be aware your CICS/IMS
developers have security admin priviledges and can do whatever they want to the
ACF2 database.
The issue with MUSASS (apparently an ACF2 term but applicable to any security
product) is that the task itself has a SAF userid that is used for task-level
accesses, but each logged in userid must be presented for user-level accesses.
Unless this distinction is preserved meticulously, taskid access can spill over
to an individual userid, granting (usually) elevated privilege that was never
intended.
.
.
J.O.Skip Robinson
Southern California Edison Company
Electric Dragon Team Paddler
SHARE MVS Program Co-Manager
323-715-0595 Mobile
626-543-6132 Office ⇐=== NEW
[email protected]
-----Original Message-----
From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf
Of Steve Beaver
Sent: Thursday, April 06, 2017 12:43 PM
To: [email protected]
Subject: (External):Re: Do you use CA-ACF2 and CICS or IMS? Be aware your
CICS/IMS developers have security admin priviledges and can do whatever they
want to the ACF2 database.
Multiple Users in a Single Address Space. (MUSASS)
In the CICS program there is a HLL interface to ACF2. Very easy to setup and
use
Steve
-----Original Message-----
From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf
Of Peter Hunkeler
Sent: Thursday, April 6, 2017 2:33 PM
To: [email protected]
Subject: Re: Do you use CA-ACF2 and CICS or IMS? Be aware your CICS/IMS
developers have security admin priviledges and can do whatever they want to the
ACF2 database.
> Peter - What are you attempting to do?
>
> Steve
Me? Its not my thread, I just followed it with interest. I did not
understand the term MUSASS. That's all
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
