$Sir_Check_Access

From m204wiki
Revision as of 15:52, 4 December 2018 by DCameron (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Provide interface to an external authorizer

The $Sir_Check_Access function allows installations to code sophisticated interfaces between Model 204 applications and a System Authorization Facility such as RACF or ACF2. $Sir_Check_Access lets a system security administrator maintain controls over "data set names" that identify intended application actions. By calling the function at strategic points, a SOUL program can provide security with arbitrary granularity.

Note: Use of this function requires purchase of the SirSafe add-on product.

Syntax

%rc = $Sir_Check_Access(dsn, prefix, access, log)

Syntax terms

%rc A numeric return code.
dsn An uppercase "data set name," following the usual rules.

Note: If a prefix is provided, the prefix is concatenated to the beginning of dsn with a separating period (.), and the resulting string length must be less than 44 characters.

prefix A string indicating whether the provided data set name is to be prefixed. Valid values are:
NONE No prefix is to be provided (the default).
AUTH The same HLQ (high-level qualifier) used by SirSafe, determined by the external authorizer in use:
RACF The RACF control group name in effect for the run (default M204RACF).
ACF2 The character "R" with the ACF2 resource type appended (default R204).
TOPSECRET The Top Secret ACID in effect for the run (default M204TOPS).
JOB The current job name.
JOB.STEP The current job name and step name separated by a period.
AUTH.JOB The SirSafe HLQ and job name separated by a period.
CCASYS The data set name for CCASYS.
access Flag indicating desired access: R for read, or W for write. The default is R.
log Flag indicating whether failed access checks should be logged: Y or N. The default is N, which suppresses logging.

Return codes

$Sir_Check_Access returns an integer value, as follows:

2 No authorizer running, call ignored
1 Access not allowed
0 Access allowed
-1 Resulting dsname (prefix.dsname) invalid
-2 Prefix argument invalid
-3 Read/write flag invalid
-4 Log/nolog flag invalid

Products authorizing $Sir_Check_Access