Page 1 of 1

how to racf protect particular options in a ISPF panel

PostPosted: Sun May 05, 2013 7:29 am
by poojithas
Hi,
In our site we have M More IBM Products panel ( panel id IBMPRODS ), in this panel we have options to select various products like HCD, ISMF etc., . I want to allow only certain users to select HCD & ISMF options.
I have full access to RACF, is there a way to do this using RACF. Can I do racf check in IBMPRODS panel definition, please help.

Re: how to racf protect particular options in a ISPF panel

PostPosted: Sun May 05, 2013 9:00 am
by steve-myers
I don't think there is anything in ISPF for this.

SDSF does extensive RACROUTE calls for options in its SDSF PRIMARY OPTION MENU. For all I know other products do something similar, but, truly, that's the extent of my knowledge.

Re: how to racf protect particular options in a ISPF panel

PostPosted: Mon May 06, 2013 9:16 am
by jaggz
Poojithas,

Instead of RACF protecting you can create a seperate TSOPROC and remove the datasets related to hcd,ismf,racf from the DD statements.

Please let me know if you are still not CLEAR.

Jaggz

Re: how to racf protect particular options in a ISPF panel

PostPosted: Mon May 06, 2013 8:06 pm
by Stefan
The ISPF panel language itself does not provide any means for a security check. But you might consider using embedded REXX when verifying a selected option.
Have a look at the manuals.
Your coding could look like
IF (&OPTION = 1)
   *REXX(ACCESS)
   access = 0
   acee   = c2d(storage(d2x(asxb+200),4))
   len    = c2d(storage(d2x(acee+29),1))
   gid    =     storage(d2x(acee+30),len)
   tid    =     storage(d2x(acee+64),8)
   cgrp   = c2d(storage(d2x(acee+116),4))
   if cgrp <> 0 then do
      if storage(d2x(cgrp),4) = "CGRP" then do
         numofgrp = c2d(storage(d2x(cgrp+8),2))
         grpent = cgrp+32
         do i = 1 to numofgrp
            group = storage(d2x(grpent),8)
            if group = 'RACADM' then access = 1
            grpent = grpent + 24
         end
      end
   end
   exit 4
   *ENDREXX
IF (&ACCESS = 0)
    .MSG    = MS0029
    .MSGLOC = OPTION

This assumes that you're checking the selection variable OPTION. Now the REXX checks if the TSO user is a member of RACF group RACADM. If so it sets the variable ACCESS to "1", otherwise the variable will have "0". After processing the embedded REXX you can issue an error message according to the content of the variable ACCESS.

Give it a try