$UsrPriv: Difference between revisions
No edit summary |
m (minor word change) |
||
(5 intermediate revisions by 2 users not shown) | |||
Line 1: | Line 1: | ||
<p>The $ | <p> | ||
The <var>$UsrPriv</var> function is used to test whether a user ID has been granted specific <var class="product">Model 204</var> privileges. </p> | |||
<p>The format of the $ | |||
<p class=" | ==Syntax== | ||
<p> | |||
The format of the <var>$UsrPriv</var> function is:</p> | |||
<p class="syntax">$UsrPriv(<span class="term">privilege</span>, <span class="term">logging-option</span>) | |||
</p> | </p> | ||
<p> | <p> | ||
Where:</p> | |||
<ul> | <ul> | ||
<li> privilege is the privilege that is to be validated. Privilege can be one of the following values:</li> | <li><var class="term">privilege</var> is the privilege that is to be validated. Privilege can be one of the following values: | ||
</li> | <ul> | ||
<li>ANY_ADMINISTRATOR | |||
<p> | |||
The ANY_ADMINISTRATOR privilege test verifies that the user is User 0 or a system manager.</p></li> | |||
<li>CHANGE_FILE_PASSWORD</li> | |||
<li>CHANGE_LOGIN_PASSWORD </li> | |||
<li>OVERRIDE_RECORD_SECURITY</li> | |||
<li>SUPER_USER</li> | |||
<li>SYSTEM_ADMINISTRATOR</li> | |||
<li>SYSTEM_MANAGER</li> | |||
</ul></li> | |||
<li><var class="term">logging-option</var> specifies whether <var class="product">Model 204</var> should indicate that an error message should be issued for security violations: | |||
<ul> | |||
<li>LOG indicates that any privilege violation is logged.</li> | |||
<li>NOLOG indicates that the privileges should be determined but any violation found is not logged. </li> | |||
</ul> | </ul> | ||
< | <p> | ||
Currently, the logging option affects only the Security Server (formerly RACF) or Top Secret interface. The option has no effect on <var class="product">Model 204</var>; the ACF2 Interface always logs a security violation regardless of the logging option.</p> | |||
<p>LOG is the default if a logging option is not specified. </p> | |||
</li> | </li> | ||
</ul> | </ul> | ||
<p> | <p><var>$UsrPriv</var> returns a numeric true/false value indicating the result of the authorization check, as follows: </p> | ||
<table> | <table> | ||
<tr class="head"> | <tr class="head"> | ||
<th>Value</th> | <th>Value</th> | ||
<th>User is...</th> | <th>User is...</th></tr> | ||
</tr> | |||
<tr> | <tr><td>0</td> | ||
<td | <td>Not authorized for the privilege or an unknown privilege name is specified.</td></tr> | ||
<td>Not authorized for the privilege or an unknown privilege name is specified.</td> | |||
</tr> | <tr><td>1</td> | ||
<tr> | <td>Authorized for the specified privilege. </td></tr> | ||
<td | |||
<td>Authorized for the specified privilege. </td> | |||
</tr> | |||
</table> | </table> | ||
<p>The following statement could be used to test if the current user ID is authorized as a system manager.</p> | ==Example== | ||
<p> | |||
The following statement could be used to test if the current user ID is authorized as a system manager.</p> | |||
<p class="code">IF $USRPRIV('SYSTEM_MANAGER','NOLOG') THEN | <p class="code">IF $USRPRIV('SYSTEM_MANAGER','NOLOG') THEN | ||
. | . | ||
Line 50: | Line 65: | ||
<b></b>* ELSE UNAUTHORIZED FOR SYSTEM MANAGER FUNCTIONS | <b></b>* ELSE UNAUTHORIZED FOR SYSTEM MANAGER FUNCTIONS | ||
</p> | </p> | ||
< | |||
==$UsrPriv and application subsystems== | |||
<p> | |||
Generally speaking, <var>$UsrPriv</var> will return a value based upon the user's privileges. However, if <var>$UsrPriv</var> is called from within [[Application Subsystem development|application subsystem (APSY)]] code, then subsystem privileges may override standard user privileges, as follows:</p> | |||
<ul> | |||
<li>If APSY privileges have been set, <var>$UsrPriv</var> returns a value based upon the subsystem privileges rather than the user's privileges.</li> | |||
<li>If start login privileges have been set for the subsystem, and <var>$UsrPriv</var> is called from within the subsystem initialization procedure, <var>$UsrPriv</var> returns a value based upon the start login privileges.</li> | |||
<li>If the user's sclass has privileges set, they override standard subsystem privileges for the user, and <var>$UsrPriv</var> returns a value based upon the sclass privileges.</li> | |||
</ul> | |||
[[Category:SOUL $functions]] | [[Category:SOUL $functions]] |
Latest revision as of 19:54, 3 January 2018
The $UsrPriv function is used to test whether a user ID has been granted specific Model 204 privileges.
Syntax
The format of the $UsrPriv function is:
$UsrPriv(privilege, logging-option)
Where:
- privilege is the privilege that is to be validated. Privilege can be one of the following values:
- ANY_ADMINISTRATOR
The ANY_ADMINISTRATOR privilege test verifies that the user is User 0 or a system manager.
- CHANGE_FILE_PASSWORD
- CHANGE_LOGIN_PASSWORD
- OVERRIDE_RECORD_SECURITY
- SUPER_USER
- SYSTEM_ADMINISTRATOR
- SYSTEM_MANAGER
- ANY_ADMINISTRATOR
- logging-option specifies whether Model 204 should indicate that an error message should be issued for security violations:
- LOG indicates that any privilege violation is logged.
- NOLOG indicates that the privileges should be determined but any violation found is not logged.
Currently, the logging option affects only the Security Server (formerly RACF) or Top Secret interface. The option has no effect on Model 204; the ACF2 Interface always logs a security violation regardless of the logging option.
LOG is the default if a logging option is not specified.
$UsrPriv returns a numeric true/false value indicating the result of the authorization check, as follows:
Value | User is... |
---|---|
0 | Not authorized for the privilege or an unknown privilege name is specified. |
1 | Authorized for the specified privilege. |
Example
The following statement could be used to test if the current user ID is authorized as a system manager.
IF $USRPRIV('SYSTEM_MANAGER','NOLOG') THEN . . . * PERFORM SYSTEM MANAGER AUTHORIZED CODE END IF * ELSE UNAUTHORIZED FOR SYSTEM MANAGER FUNCTIONS
$UsrPriv and application subsystems
Generally speaking, $UsrPriv will return a value based upon the user's privileges. However, if $UsrPriv is called from within application subsystem (APSY) code, then subsystem privileges may override standard user privileges, as follows:
- If APSY privileges have been set, $UsrPriv returns a value based upon the subsystem privileges rather than the user's privileges.
- If start login privileges have been set for the subsystem, and $UsrPriv is called from within the subsystem initialization procedure, $UsrPriv returns a value based upon the start login privileges.
- If the user's sclass has privileges set, they override standard subsystem privileges for the user, and $UsrPriv returns a value based upon the sclass privileges.