To check if the user have access to the file or not



IBM's Command List programming language & Restructured Extended Executor

To check if the user have access to the file or not

Postby balamurali cl » Thu Jan 03, 2013 9:42 pm

Hi All,

We use the command "SB" (safe browse) in front of file to check if we have access or not for production files.

I am using the same command in REXX for one of my tools.

/*REXX*/
SAY 'ENTER DSN FILE'
PARSE DSN
X=OUTTRAP("LIST.")
ADDRESS TSO
"SB ||DSN"
X=OUTTRAP("OFF")
DO I=1 TO LIST.0
SAY LIST.I
END


Here I am not able to capture the output of the command.

The same command when execute in ISPF screen ie in front of file. We get the message like "READ ACCESS" or "ACCESS DENIED" .

Can you please let me know whats the issue?

Or let me know anyother way to know if the user has access....I havethe LD DS ("DSN") GEN command..But executing ths command against a dataste that we dont have access is issue!!!
balamurali cl
 
Posts: 36
Joined: Mon Sep 03, 2012 9:01 pm
Has thanked: 2 times
Been thanked: 0 time

Re: To check if the user have access to the file or not

 

Re: To check if the user have access to the file or not

Postby Akatsukami » Thu Jan 03, 2013 9:59 pm

From the z/OS TSO/E REXX Reference:
If you plan to write your own command processors for use in REXX execs, and you plan to use the OUTTRAP external function to trap command output, note the OUTTRAP function does not trap command output that is sent to the terminal by:

•TPUT
•WTO macro
•messages issued by TSO/E REXX (that is, messages beginning with IRX)
•messages issued by TRACE output

In my shop, RACF access is considered NPI, and is therefore only made available on a need-to-know basis. To the left, generating a S913 abend is not ipso facto a termination offense, so we don't try to check access.
"You have sat too long for any good you have been doing lately ... Depart, I say; and let us have done with you. In the name of God, go!" -- what I say to a junior programmer at least once a day
User avatar
Akatsukami
Global moderator
 
Posts: 1053
Joined: Sat Oct 16, 2010 2:31 am
Location: Bloomington, IL
Has thanked: 6 times
Been thanked: 51 times

Re: To check if the user have access to the file or not

Postby steve-myers » Thu Jan 03, 2013 10:25 pm

You can use this CLIST in a RACF environment to test if you have read access to a data set.
PROC 1 DATASET
CONTROL NOLIST
SET &SYSOUTTRAP = 100
LISTDSD DATASET(&DATASET) GENERIC
SET RC = &LASTCC
SET &SYSOUTTRAP = 0
IF &RC = 0 THEN +
 WRITE YOU APPEAR TO HAVE ACCESS TO &DATASET
ELSE +
 WRITE YOU DO NOT APPEAR TO HAVE ACCESS TO &DATASET
If you do not have some sort of access the LISTDSD command completes with a non-zero return code; if you do have access, LISTDSD completes with a 0 return code.

If you store the CLIST in your SYSPROC dataset you can run the CLIST as a line command in an ISPF 3.4 screen.

A useful enhancement to the CLIST would be to complete with the return code from the LISTDSD command so ISPF will display the return code to the right of the data set name in the ISPF 3.4 display. Another alternate is to test if you are in an ISPF environment and just exit with the return code without displaying the message.
steve-myers
Global moderator
 
Posts: 1886
Joined: Thu Jun 03, 2010 6:21 pm
Has thanked: 4 times
Been thanked: 197 times

Re: To check if the user have access to the file or not

Postby Pedro » Fri Jan 04, 2013 12:34 am

RACF access is considered NPI,

re NPI: No Pun Intended? not exactly sure of the meaning.

We get the message like "READ ACCESS" or "ACCESS DENIED" .

As Akatsukami pointed out, the OUTTRAP does not capture everything that is displayed on the terminal. If the message you refer to is an ISPF message, that falls into the TPUT category and is not captured. Instead of calling SB, you need to clone the SB command and modify it. Instead of an ISPF message, use the SAY instruction.
Pedro Vera
User avatar
Pedro
 
Posts: 569
Joined: Thu Jul 31, 2008 9:59 pm
Location: Silicon Valley
Has thanked: 0 time
Been thanked: 39 times

Re: To check if the user have access to the file or not

Postby Akatsukami » Fri Jan 04, 2013 1:04 am

Pedro wrote:
RACF access is considered NPI,

re NPI: No Pun Intended? not exactly sure of the meaning.

Non-public Personal Information (no, I don't know why it isn't "NPPI").
"You have sat too long for any good you have been doing lately ... Depart, I say; and let us have done with you. In the name of God, go!" -- what I say to a junior programmer at least once a day
User avatar
Akatsukami
Global moderator
 
Posts: 1053
Joined: Sat Oct 16, 2010 2:31 am
Location: Bloomington, IL
Has thanked: 6 times
Been thanked: 51 times

Re: To check if the user have access to the file or not

Postby enrico-sorichetti » Fri Jan 04, 2013 1:25 am

the whole topic is a moot point ...

if the <end user> does not have the proper authorities
any attempt to check the file access authorization
might be reported as an ATTEMPT to access the same
with the obvious consequences

tryin to <list> a dataset without having the authority will result in ( test case )

ICH35002I NOT AUTHORIZED TO LIST RACTEST.*



I still believe that security issues should be off limits on a forum
too many ask without having an idea of the consequences
( and worse the same applies too often also to people answering )
cheers
enrico
When I tell somebody to RTFM or STFW I usually have the page open in another tab/window of my browser,
so that I am sure that the information requested can be reached with a very small effort
enrico-sorichetti
Global moderator
 
Posts: 2644
Joined: Fri Apr 18, 2008 11:25 pm
Has thanked: 0 time
Been thanked: 130 times

Re: To check if the user have access to the file or not

Postby nevilh » Fri Jan 04, 2013 6:38 pm

I suspect that the SB command is issueing a RACHECK and just checking the Return Code and issueing a message based on the Return Code. This used to be a common approach in sites that used Top Secret instead of RACF. The reason was many administrators used to set a maximum number of Security errors allowed per session. If this number was exceeded the Userid was revoked. It was therefore necesssary to have a possibility to check the access without generating a Security error.
nevilh
 
Posts: 38
Joined: Wed Jun 01, 2011 8:28 pm
Has thanked: 0 time
Been thanked: 3 times


Return to CLIST & REXX

 


  • Related topics
    Replies
    Views
    Last post