Discussion:
RACROUTE REQUEST=AUTH preprocessing exit
(too old to reply)
Mark Jacobs
2010-11-10 15:00:28 UTC
Permalink
We've run into a situation where we need to prevent RACF from
disallowing access to any resource for one specific userid.

That's not too difficult to code in the ICHRCX01exit but we also need to
record (SMF record?) the failures that would have occurred without the
exit in place, while not recording the successes that would have
occurred due to already existing RACF profiles granting access.

Does anyone have ideas on how to accomplish this?
--
Mark Jacobs
Time Customer Service
Tampa, FL
----

Sam Lowry: Give my best to Alison and the twins.
Jack Lint: Triplets.
Sam Lowry: Triplets? My how time flies

Brazil (1985)

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
Walt Farrell
2010-11-10 15:55:27 UTC
Permalink
Post by Mark Jacobs
We've run into a situation where we need to prevent RACF from
disallowing access to any resource for one specific userid.
That's not too difficult to code in the ICHRCX01exit but we also need to
record (SMF record?) the failures that would have occurred without the
exit in place, while not recording the successes that would have
occurred due to already existing RACF profiles granting access.
Does anyone have ideas on how to accomplish this?
First, the RACF-L mailing list is probably a more appropriate place to ask
questions like this than IBM-MAIN.

However, since you asked here: This feels more appropriate for ICHRCX02
(post-processing exit) than ICHRCX01 (pre-processing exit). In ICHRCX01 you
have no idea whether the request will succeed or not. But in ICHRCX02 you
know whether the request is already succeeding or failing (RCXRCODE points
to the return code for the request). If it's failing, you can change the
field that RCXRCODE points to to 0 to make it succeed.

It's not clear to me if you want to suppress all auditing of requests that
would have succeeded, or if you merely don't want to cause additional
auditing if the exit doesn't do anything.

If you want to suppress all auditing of successes for this user, unless you
caused them, then you could set the exit parm list flags to indicate
LOG=NONE whenever you see a request that is already succeeding for that user.

Or, if you simply want to guarantee auditing if your exit makes it succeed,
then you could create an SMF record from the exit when you do make the
request succeed. Or you could have the exit issue another RACROUTE
REQUEST=AUTH (that you would have to avoid processing in the exit) for a
FACILITY resource that the user has access to (and that is setup to audit
successes) and include the results of your exit in the LOGSTR keyword on
your AUTH request.
--
Walt Farrell
IBM STSM, z/OS Security Design

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
Loading...