In which case you should supply two calls to the non-privileged STC, one which will get the work element and set the security and a second which will return results. The calls can be PC's or SVCs.
On Wed, 17 May 2017 14:27:25 +0700 Robin Atwood <[email protected]> wrote: :>We set the ASXBSENV to the ACEE of the user. The requests are run single-threaded, we will have a pool of STCs :>available. :> :>Robin :> :>-----Original Message----- :>From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf Of Walt Farrell :>Sent: 16 May 2017 22:33 :>To: [email protected] :>Subject: Re: ATTACH with RSAPF=YES :> :>On Tue, 16 May 2017 20:42:42 +0700, Robin Atwood <[email protected]> wrote: :> :>>>However, as you're running work on behalf of various end-users, I hope you're authenticating those users and >running the work under the proper end-user identity in each case. And that would probably require authorization >of the STC. :>> :>>Yes, we run under the ACEE of the user. :> :>However, unless your STC runs single-threaded (handling requests for only 1 user at a time) it's not possible for you to run REXX execs invokiing ISPF services with proper security. :> :>It would require ensuring that none of the execs, or the services they invoke, perform any ATTACH requests., The new subtask created by ATTACH would not inherit the ACEE of the user on whose behalf you're running the request. (There is one exception to that, but it's used rarely enough that it probably won't apply to you. You would have to be using WLM services, and operating as a WLM servant to manage the requests that you're processing. Then, and only then as far as I know, would the user's ACEE propagate down to a new subtask.) -- Binyamin Dissen <[email protected]> http://www.dissensoftware.com Director, Dissen Software, Bar & Grill - Israel Should you use the mailblocks package and expect a response from me, you should preauthorize the dissensoftware.com domain. I very rarely bother responding to challenge/response systems, especially those from irresponsible companies. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
