MVSFORUMS.com

dbalaji

Hi folks,
I'm back after long time! Here is the problem. Any help would be very appreciated.

My shop is moving from RACF to TOP SECRET for reasons known only to god. I was told TOP SECRET doesn't support ACEE. Now we are tasked with converting CICS programs that use RACF ACEE component to not use ACEE. These CICS programs are using ACEE to lookup the list of RACF groups a user belongs to, and only if a user is a member of profile X or Y or Z, he/she is allowed to access the transaction.

How do I achieve the same result in RACF, without using ACEE, like using QUERY SECURITY calls? Any ideas???

Please note: I don't wan't to code something specific to TOP SECRET. I want something that will work in RACF and also supported by TOP SECRET. As per RACF admin, any RACF technique other than ACEE should also work in TOP SECRET. I'd like to avoid coding cumbersome RACROUTE calls if possible.
_________________
"EVEN SKY IS NOT THE LIMIT"

kolusu · Posted: Tue Jun 01, 2010 4:20 pm Post subject:

dbalaji,

Contact CA and raise your queries since you are migrating to their product. They should have a work around for this scenario

Kolusu

dbalaji · Posted: Thu Jun 03, 2010 5:43 pm Post subject: Gotcha!!! or not!!!

RACF admins are supposedly too busy to help our little programming group. They left us to fend ourselves. Nothing gets attention until it breaks in production. So here I'm.

I found a solution to this problem which I'm sharing here, incase anyone is interested. I have to confess though, I'm not entirely sure if this solution is right, but it works.

Use QUERY SECURITY RESCLASS function and pass any RACF Class and Profile name in the RESID parameter. It will spit out the level of access a user has - Read or Update or Control etc. This is no biggie, just right off the Application ref manual. What I was struggling with was how to use this query and find out if a user is a member of a group. Looks like that is not possible. Refer to the little excerpt at the end. It says I cannot use group names in RESCLASS and using a class name that belongs to the group automatically accesses the group. My ID has different RACF groups I belong to like A,B,C & D. And these groups in turn have classes eg. Group A has X,Y,Z classes.
By checking RESCLASS(X) RESID(<profilenamehere>) in QUERY, I will be testing if the user belongs to Group A.
What happens when Class X also belongs to group B, and if another user is only a member of B,C,D not A? He would also pass the security check right? I'm not sure what will happen in this scenario.
If you have any idea, please pass it over.

To determine access to CICS resources you should normally use RESTYPE, when the resource class is determined by the Xname system initialization parameter. However, if, for special reasons, you want to inquire about specific CICS resource classes, you should note that the class name must be the member class, and not the group class; that is, CCICSCMD, and not VCICSCMD. The profiles in the grouping class are checked automatically if the member class has been activated by RACLIST. For example, if SEC=YES, and XCMD=YES are specified, both CCICSCMD and VCICSCMD are activated by RACLIST in the CICS region, which means that QUERY SECURITY RESCLASS(
_________________
"EVEN SKY IS NOT THE LIMIT"

papadi · Supermod Joined: 20 Oct 2009 Posts: 594 Topics: 1

So - open an issue with CA support. . . They should still be able to provide some info Smile

_________________
All the best,

di

bob_buxton · Posted: Sun Jun 06, 2010 4:11 am Post subject:

Why is your code attempting to do security checks itself?

Rip out all of your ACEE checking code and turn on transaction security in CICS.
When you start a transaction CICS will issue the proper calls to RACF or Top Secret to verify the user is authorised to run that transaction.

You just need to set the RACF/Top Secret profiles to say only members of groups X, Y, Z are authorized to run transaction Fred
_________________
Bob Buxton
Ex Websphere MQ for zOS development