z/os User Defined Function that calls RACF

Gary Hassani

z/os User Defined Function that calls RACF

Hello,

I am writing a UDF used within a query to check the security of each row to be returned using RACF.

I am struggling with the RACF calls.

Is this a valid approach?   (is calling RACF within a UDF invalid?)

Has anyone else done this?

 

I am attempting to create an ACEE with REQUEST=VERIFY ENVIR=CREATE

using code that works in my own address space but in this environment produces:

R15: 4

SAFPRRET=0

SAFPRREA=0

 

z/os 2.3

Jørn Thyssen

RE: z/os User Defined Function that calls RACF
(in response to Gary Hassani)

Hi Gary,

What is the business requirement ?

Have you looked at row permissions?

Best regards,

Jørn Thyssen

Rocket Software
77 Fourth Avenue • Waltham, MA • 02451 • USA
E: [login to unmask email] • W: www.rocketsoftware.com 

Views are personal. 

Gary Hassani

RE: z/os User Defined Function that calls RACF
(in response to Jørn Thyssen)

Thank you sir.

 

The business requirement is to verify RACF JESSPOOL READ access for each row

James Campbell

z/os User Defined Function that calls RACF
(in response to Gary Hassani)
What USER are you specifying? Is the function defined to have SECURITY USER ? If so,
DB2 should be providing a task level ACEE on 'the primary authorization ID of the process
that invoked the function'

If not. how are you authenticating whatever USER you are specifying?

You have just reached the limit of my knowledge of RACF macros. I suggest you take this
up on RACF-L
https://listserv.uga.edu/cgi-bin/wa?A0=RACF-L

James Campbell


On 15 Feb 2018 at 15:35, Gary Hassani wrote:

>
> Hello,
> I am writing a UDF used within a query to check the security of each row to be returned using
> RACF.
> I am struggling with the RACF calls.
> Is this a valid approach?   (is calling RACF within a UDF invalid?)
> Has anyone else done this?
>  
> I am attempting to create an ACEE with REQUEST=VERIFY ENVIR=CREATE
> using code that works in my own address space but in this environment produces:
> R15: 4
> SAFPRRET=0
> SAFPRREA=0
>  
> z/os 2.3
>
>

Michael Hannan

RE: z/os User Defined Function that calls RACF
(in response to Gary Hassani)

Gary,

This approach does not sound sensible to me. You have to consider the overheads of UDFs and RACF Calls. Normally you would not want that on a row by row basis unless dealing with very low volumes of data.

DB2 defines table Access levels for Authids and secondary authids. Also DB2 can define row permissons. Look up these topics in the manuals.

RACF controls ability to connect to Secondary Authids.

I am not a security expert, but I think doing row access control via the normal approaches is more sensible. Just my opinions with a Performance Hat on.

DB2 gives you a lot of rope. Use the technology wisely. A lot of inappropriate use of features in the DB2 world.

In Reply to Gary Hassani:

Hello,

I am writing a UDF used within a query to check the security of each row to be returned using RACF.

I am struggling with the RACF calls.

Is this a valid approach?   (is calling RACF within a UDF invalid?)

Has anyone else done this?

 

I am attempting to create an ACEE with REQUEST=VERIFY ENVIR=CREATE

using code that works in my own address space but in this environment produces:

R15: 4

SAFPRRET=0

SAFPRREA=0

 

Michael Hannan,
DB2 Application Performance Specialist
CPT Global Ltd

Edited By:
Michael Hannan[Organization Members] @ Feb 18, 2018 - 12:52 PM (Europe/Berlin)

Binyamin Dissen

z/os User Defined Function that calls RACF
(in response to Gary Hassani)
DECOUPL=YES

On Thu, 15 Feb 2018 15:35:48 -0700 (MST) Gary Hassani <[login to unmask email]>
wrote:

:>Hello,
:>I am writing a UDF used within a query to check the security of each row to be returned using RACF.
:>I am struggling with the RACF calls.
:>Is this a valid approach?   (is calling RACF within a UDF invalid?)
:>Has anyone else done this?
 
:>I am attempting to create an ACEE with REQUEST=VERIFY ENVIR=CREATE
:>using code that works in my own address space but in this environment produces:
:>R15: 4
:>SAFPRRET=0
:>SAFPRREA=0

:>z/os 2.3

--
Binyamin Dissen <[login to unmask email]>
http://www.dissensoftware.com

Director, Dissen Software, Bar & Grill - Israel


Should you use the mailblocks package and expect a response from me,
you should preauthorize the dissensoftware.com domain.

I very rarely bother responding to challenge/response systems,
especially those from irresponsible companies.