REXX only update Production file



IBM's Command List programming language & Restructured Extended Executor

REXX only update Production file

Postby paulibm1 » Mon Aug 14, 2017 8:19 pm

I'm writing a REXX routine that will update a production control file based on user input. This file will be used to trigger a nightly job if there is data in the file. I'm trying to figure out if I can control the update of the file so that it can only be updated through the REXX screen. I don't want anyone to be able to manually update the file by editing it in TSO.

My shop uses ACF2 for security. I know I can restrict the file access to certain userids and give only those userids access to the REXX routine, but I want to make sure those users go through the REXX screen. If I restrict the file access to a "fake" userid, is there a way I could have the REXX routine "log on" with fake ID, so the file could only be updated through REXX with the fake ID? Any other ideas?

My other option is to do this with CICS if I can't figure out how to do it with REXX.

Thanks! Paul
paulibm1
 
Posts: 4
Joined: Mon Aug 14, 2017 7:55 pm
Has thanked: 0 time
Been thanked: 0 time

Re: REXX only update Production file

Postby Robert Sample » Mon Aug 14, 2017 10:03 pm

Have you talked to your site security group? If not, you should talk to them -- they most likely know the most about your site set up and how what you want to do can be achieved (if it is possible) at your site.
Robert Sample
Global moderator
 
Posts: 3720
Joined: Sat Dec 19, 2009 8:32 pm
Location: Dubuque, Iowa, USA
Has thanked: 1 time
Been thanked: 279 times

Re: REXX only update Production file

Postby paulibm1 » Mon Aug 14, 2017 10:09 pm

Thanks for the reply Robert. I have discussed with my security group. They were not aware of any way to handle this situation using REXX, they recommended using CICS. I thought I would throw it out to this forum to see if anyone had an other ideas.
paulibm1
 
Posts: 4
Joined: Mon Aug 14, 2017 7:55 pm
Has thanked: 0 time
Been thanked: 0 time

Re: REXX only update Production file

Postby Pedro » Tue Aug 15, 2017 4:04 am

(I am not familiar with ACF2).

I do not think you can do what you want using REXX. However, you can probably do it with an assembler program. Give access to the program.

RACF allows the use of a surrogate userid: one user submitting a job for a different user. However, you still have the problem of the user building their own job to modify the data set rather than using your JCL.

-----------------
I think the user should be allowed to update a staging data set and then have your nightly job read it and verify it before copying from the staging data set to a production data set. Provide a way for the user to verify the data set; likely, he does not want to provide a corrupted data set any more than you do.
Pedro Vera
User avatar
Pedro
 
Posts: 686
Joined: Thu Jul 31, 2008 9:59 pm
Location: Silicon Valley
Has thanked: 0 time
Been thanked: 53 times

Re: REXX only update Production file

Postby steve-myers » Tue Aug 15, 2017 12:15 pm

There is no such thing as a "Rexx screen."

In any event, to me, when I put on my security auditor hat, the whole idea seems rather flaky. Most likely I'd write up the whole idea as too insecure.

However, the idea of having users some degree of control over periodic production requirements seems, to me, to have merit.

Like Pedro, I don't know ACF2 very well. 35 years ago was a different story, but that was long ago. Most of my current security knowledge these days is RACF. Some RACF details, especially in CICS are still a mystery to me.

None the less, on the face of it I'm inclined to agree with your site security that a CICS based solution might be best or a combination of Rexx and ISPF dialogs might work well. You need to have your production control people involved in this too, so everyone agrees on the types of control your users can specify and the product people can implement. Good luck!
steve-myers
Global moderator
 
Posts: 2105
Joined: Thu Jun 03, 2010 6:21 pm
Has thanked: 4 times
Been thanked: 243 times

Re: REXX only update Production file

Postby willy jensen » Tue Aug 15, 2017 1:44 pm

Just a thought - compile and link your REXX program and allow access to that dataset only through the program. I know that RACF has that capability, so I assume that ACF2 has it too.
willy jensen
 
Posts: 465
Joined: Thu Mar 10, 2016 5:03 pm
Has thanked: 0 time
Been thanked: 70 times

Re: REXX only update Production file

Postby paulibm1 » Tue Aug 15, 2017 5:54 pm

Thanks for all the suggestions. A little more background. As part of the REXX routine, I would also be updating an audit file to keep track of who is updating the production file. That way if there is an issue, I can track down the cause. I know the users don't want to input corrupt data, but mistakes happen. Also, I know that if it's possible to take a short cut and update the dataset directly, someone will do it. Then I lose my audit trail. I am working with my production control people, they suggested the audit file. But, the more we look into using REXX, the more we are running into challenges. It's a great tool which is quick and easy to use, but might not be robust enough for this application.

I like the idea of the REXX compile/link option, unfortunately, we don't have the REXX compiler here. I'm going to do a little more digging into ACF2, maybe there's something else I can do with ACF2.
paulibm1
 
Posts: 4
Joined: Mon Aug 14, 2017 7:55 pm
Has thanked: 0 time
Been thanked: 0 time

Re: REXX only update Production file

Postby enrico-sorichetti » Tue Aug 15, 2017 6:28 pm

but might not be robust enough for this application.

why blame the <others> ?
Your skills might not be robust enough :mrgreen:

keep the data in a DB2 table and extract it from there at run time
( one step to read the DB2 table and create a sequential dataset )
the extractor could be written in REXX
btdtgtts

anyway whatever security controls might be in place ( for the dataset update access )
even updating the control dataset with a user written application might result in erroneous data
cheers
enrico
When I tell somebody to RTFM or STFW I usually have the page open in another tab/window of my browser,
so that I am sure that the information requested can be reached with a very small effort
enrico-sorichetti
Global moderator
 
Posts: 3006
Joined: Fri Apr 18, 2008 11:25 pm
Has thanked: 0 time
Been thanked: 165 times

Re: REXX only update Production file

Postby willy jensen » Wed Aug 16, 2017 1:28 pm

I would also be updating an audit file to keep track of who is updating the production file

You can easily find that information through SMF type 15. And that is independent on the whether your application or straight ISPF edit is used.
Perhaps your application could do a backup to a GDS, so you always have a restore point.
willy jensen
 
Posts: 465
Joined: Thu Mar 10, 2016 5:03 pm
Has thanked: 0 time
Been thanked: 70 times

Re: REXX only update Production file

Postby paulibm1 » Wed Aug 16, 2017 5:01 pm

Since we don't have the REXX compiler, I'm going to call a COBOL program to write to the file. I'll have security set up so only the COBOL program can update the file. Thanks for all the great suggestions. Paul
paulibm1
 
Posts: 4
Joined: Mon Aug 14, 2017 7:55 pm
Has thanked: 0 time
Been thanked: 0 time


Return to CLIST & REXX

 


  • Related topics
    Replies
    Views
    Last post