Page 1 of 1

To check if the user have access to the file or not

PostPosted: Thu Jan 03, 2013 9:42 pm
by balamurali cl
Hi All,

We use the command "SB" (safe browse) in front of file to check if we have access or not for production files.

I am using the same command in REXX for one of my tools.

/*REXX*/
SAY 'ENTER DSN FILE'
PARSE DSN
X=OUTTRAP("LIST.")
ADDRESS TSO
"SB ||DSN"
X=OUTTRAP("OFF")
DO I=1 TO LIST.0
SAY LIST.I
END


Here I am not able to capture the output of the command.

The same command when execute in ISPF screen ie in front of file. We get the message like "READ ACCESS" or "ACCESS DENIED" .

Can you please let me know whats the issue?

Or let me know anyother way to know if the user has access....I havethe LD DS ("DSN") GEN command..But executing ths command against a dataste that we dont have access is issue!!!

Re: To check if the user have access to the file or not

PostPosted: Thu Jan 03, 2013 9:59 pm
by Akatsukami
From the z/OS TSO/E REXX Reference:
If you plan to write your own command processors for use in REXX execs, and you plan to use the OUTTRAP external function to trap command output, note the OUTTRAP function does not trap command output that is sent to the terminal by:

•TPUT
•WTO macro
•messages issued by TSO/E REXX (that is, messages beginning with IRX)
•messages issued by TRACE output

In my shop, RACF access is considered NPI, and is therefore only made available on a need-to-know basis. To the left, generating a S913 abend is not ipso facto a termination offense, so we don't try to check access.

Re: To check if the user have access to the file or not

PostPosted: Thu Jan 03, 2013 10:25 pm
by steve-myers
You can use this CLIST in a RACF environment to test if you have read access to a data set.
PROC 1 DATASET
CONTROL NOLIST
SET &SYSOUTTRAP = 100
LISTDSD DATASET(&DATASET) GENERIC
SET RC = &LASTCC
SET &SYSOUTTRAP = 0
IF &RC = 0 THEN +
 WRITE YOU APPEAR TO HAVE ACCESS TO &DATASET
ELSE +
 WRITE YOU DO NOT APPEAR TO HAVE ACCESS TO &DATASET
If you do not have some sort of access the LISTDSD command completes with a non-zero return code; if you do have access, LISTDSD completes with a 0 return code.

If you store the CLIST in your SYSPROC dataset you can run the CLIST as a line command in an ISPF 3.4 screen.

A useful enhancement to the CLIST would be to complete with the return code from the LISTDSD command so ISPF will display the return code to the right of the data set name in the ISPF 3.4 display. Another alternate is to test if you are in an ISPF environment and just exit with the return code without displaying the message.

Re: To check if the user have access to the file or not

PostPosted: Fri Jan 04, 2013 12:34 am
by Pedro
RACF access is considered NPI,

re NPI: No Pun Intended? not exactly sure of the meaning.

We get the message like "READ ACCESS" or "ACCESS DENIED" .

As Akatsukami pointed out, the OUTTRAP does not capture everything that is displayed on the terminal. If the message you refer to is an ISPF message, that falls into the TPUT category and is not captured. Instead of calling SB, you need to clone the SB command and modify it. Instead of an ISPF message, use the SAY instruction.

Re: To check if the user have access to the file or not

PostPosted: Fri Jan 04, 2013 1:04 am
by Akatsukami
Pedro wrote:
RACF access is considered NPI,

re NPI: No Pun Intended? not exactly sure of the meaning.

Non-public Personal Information (no, I don't know why it isn't "NPPI").

Re: To check if the user have access to the file or not

PostPosted: Fri Jan 04, 2013 1:25 am
by enrico-sorichetti
the whole topic is a moot point ...

if the <end user> does not have the proper authorities
any attempt to check the file access authorization
might be reported as an ATTEMPT to access the same
with the obvious consequences

tryin to <list> a dataset without having the authority will result in ( test case )

ICH35002I NOT AUTHORIZED TO LIST RACTEST.*



I still believe that security issues should be off limits on a forum
too many ask without having an idea of the consequences
( and worse the same applies too often also to people answering )

Re: To check if the user have access to the file or not

PostPosted: Fri Jan 04, 2013 6:38 pm
by nevilh
I suspect that the SB command is issueing a RACHECK and just checking the Return Code and issueing a message based on the Return Code. This used to be a common approach in sites that used Top Secret instead of RACF. The reason was many administrators used to set a maximum number of Security errors allowed per session. If this number was exceeded the Userid was revoked. It was therefore necesssary to have a possibility to check the access without generating a Security error.