Re: Using RACROUT and Facility Class

Elardus Engelbrecht Thu, 29 Jun 2017 23:33:07 -0700

[email protected] wrote:

>I am not a RACF Security Administrator by any means, after reading several 
>documents
>I need some help setting up a RACF Facility Class and Permitting Access To a 
>Started Task Userid (STCUSRID) and My Userid (PAULD01).


>Do the following RACF Commands Define a Facility Class 
>BLUE_RIBBON.SYS1.MSTRUPDT and Have I permitted the Started Task Userid 
>(STCUSRID) Update access to the Facility and My Userid PAULD01 Read access ?

>RDEFINE FACILITY BLUE_RIBBON.SYS1.MSTRUPDT UACC(NONE)
>PERMIT  BLUE_RIBBON.SYS1.MSTRUPDT CLASS(FACILITY) ID(STCUSRID) ACCESS(UPDATE)
>PERMIT  BLUE_RIBBON.SYS1.MSTRUPDT CLASS(FACILITY) ID(PAULD01) ACCESS(READ)

With that specific setup, your own id has READ, but your STC id has UPDATE. So 
your id has fewer/lower rights than your STC id in this specific profile setup. 
(That is if you have setup STARTED Class profile correctly.)

Just remember to 

ralter FACILITY <profile> audit(all(READ))    (This is to catch all and every 
attempt to use it, good for debugging)

and also this

SETROPTS REFRESH RACLIST(FACILITY).

         
>FACILITY$ DC   CL8'FACILITY'                                            
>STEM      DC   H'00',H'00'                                             
>          DC   CL13'BLUE_RIBBON.SYS1.MSTRUPDT'                         
>STEM#    EQU   *-STEM                                                  

No padding up to 39 characters in total? Something like 
         DC   CL39'BLUE_RIBBON.SYS1.MSTRUPDT'                         

>         DS    0D                                                      
>RACLAB   RACROUTE REQUEST=AUTH,ATTR=READ,CLASS='FACILITY',            XX
>               RELEASE=1.9,MF=L                                         
>         DS  XL8                                               
>RACLAB#  EQU  *-RACLAB                                         

Do you need RELEASE=1.9?


>         MVC  SEC_ENTITY,STEM
>         RACROUTE REQUEST=AUTH,                                       **
>               WORKA=(R10),                                           **
>               ATTR=READ,                                             **
>               ENTITYX=SEC_ENTITY,                                    **
>               CLASS=FACILITY$,                                       **
>               MSGSUPP=NO,                                            **
>               LOG=ASIS,                                              **
>               MF=(E,RACLAB)                                          

Where is R10 pointing? Hopefully to an area which you GETMAINed and populated 
previously...


>Does the Above RACROUTE REQUEST=AUTH macro verify that the userid has Read 
>Authority to the Facility ?
>Have I coded it properly ?

Probably. What happens if you run your STC? Do you see any messages?


>Without specifying a Userid, Is the ACEE used to verify the user ?

Yes. Your setup is 'First-Party Call'. Your STC own ACEE is used by that 
RACROUTE macro.


>Should a Userid be explicitly specified on the command ?

No, not really, unless you want to do a 'Third-Party' call.

HTH!

Groete / Greetings
Elardus Engelbrecht

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN

Re: Using RACROUT and Facility Class

Reply via email to