Question about RACROUTE REQUEST=AUTH|FASTAUTH processing
92 views
Skip to first unread message
ess...@juno.com
Mar 1, 2022, 11:36:24 AM3/1/22
to ASSEMBL...@listserv.uga.edu
...
Hello,
.
I'm not a RACF person, I do understand some basic security principles.
Regarding a RACROUTE REQUEST=AUTH and RACROUTE REQUEST=FASTAUTH.
.
I am able to issue both of the above RAROUTE macros against a
facility profile with individual users. However when a individual is part of a Group
must I issue a second RACROUTE REQUEST=AUTH|FASTAUTH ?
.
What is the appropriate processing for an Assembler routine - issuing RACROUTE REQUEST=AUTH|FASTAUTH,
to determine and test authorization without knowing if the request is for
an individual user or a user wiithin a group?
.
Should the routine issue a second RACROUTE REQUEST ?
Will the processing be handled by SAF/RACF ?
.
Please clarify .
.
Paul D'Angelo
**************
**************
Hello,
.
I'm not a RACF person, I do understand some basic security principles.
Regarding a RACROUTE REQUEST=AUTH and RACROUTE REQUEST=FASTAUTH.
.
I am able to issue both of the above RAROUTE macros against a
facility profile with individual users. However when a individual is part of a Group
must I issue a second RACROUTE REQUEST=AUTH|FASTAUTH ?
.
What is the appropriate processing for an Assembler routine - issuing RACROUTE REQUEST=AUTH|FASTAUTH,
to determine and test authorization without knowing if the request is for
an individual user or a user wiithin a group?
.
Should the routine issue a second RACROUTE REQUEST ?
Will the processing be handled by SAF/RACF ?
.
Please clarify .
.
Paul D'Angelo
**************
**************
Peter Relson
Mar 3, 2022, 1:04:55 PM3/3/22
to ASSEMBL...@listserv.uga.edu
<snip>
This is not the kind of question best asked here. It has nothing to do with the assembler itself.
Authorization requests should almost always be based on a user ID. RACF does the authorization check based on the user ID and all of the groups to which the user has a valid connection. With some of the interfaces, the user ID is determined implicitly; with others it is provided explicitly.
The issuer of RACROUTE does not generally need to care how the customer set up their profiles and access lists, so does not care whether access is granted to an individual user ID or to a group to which the individual user ID is connected.
Peter Relson
z/OS Core Technology Design
I am able to issue both of the above RAROUTE macros against a facility profile with individual users. However when a individual is part of a Group must I issue a second RACROUTE REQUEST=AUTH|FASTAUTH ?
</snip>
This is not the kind of question best asked here. It has nothing to do with the assembler itself.
Authorization requests should almost always be based on a user ID. RACF does the authorization check based on the user ID and all of the groups to which the user has a valid connection. With some of the interfaces, the user ID is determined implicitly; with others it is provided explicitly.
The issuer of RACROUTE does not generally need to care how the customer set up their profiles and access lists, so does not care whether access is granted to an individual user ID or to a group to which the individual user ID is connected.
Peter Relson
z/OS Core Technology Design
Ed Jaffe
Mar 3, 2022, 2:05:06 PM3/3/22
to ASSEMBL...@listserv.uga.edu
On 3/1/2022 8:34 AM, ess...@juno.com wrote:
> I am able to issue both of the above RAROUTE macros against a
> facility profile with individual users. However when a individual is part of a Group
> must I issue a second RACROUTE REQUEST=AUTH|FASTAUTH ?
Definitely NOT!
> I am able to issue both of the above RAROUTE macros against a
> facility profile with individual users. However when a individual is part of a Group
> must I issue a second RACROUTE REQUEST=AUTH|FASTAUTH ?
The group to which such queries should be posted is RACF-L hosted by
LISTSERV.UGA.EDU.
--
Phoenix Software International
Edward E. Jaffe
831 Parkview Drive North
El Segundo, CA 90245
https://www.phoenixsoftware.com/
--------------------------------------------------------------------------------
This e-mail message, including any attachments, appended messages and the
information contained therein, is for the sole use of the intended
recipient(s). If you are not an intended recipient or have otherwise
received this email message in error, any use, dissemination, distribution,
review, storage or copying of this e-mail message and the information
contained therein is strictly prohibited. If you are not an intended
recipient, please contact the sender by reply e-mail and destroy all copies
of this email message and do not otherwise utilize or retain this email
message or any or all of the information contained therein. Although this
email message and any attachments or appended messages are believed to be
free of any virus or other defect that might affect any computer system into
which it is received and opened, it is the responsibility of the recipient
to ensure that it is virus free and no responsibility is accepted by the
sender for any loss or damage arising in any way from its opening or use.
Reply all
Reply to author
Forward
0 new messages