$UsrPriv

From m204wiki
Revision as of 12:03, 20 July 2015 by DCameron (talk | contribs)
Jump to navigation Jump to search

The $USRPRIV function is used to test whether a user ID has been granted specific Model 204 privileges.

Syntax

The format of the $USRPRIV function is:

$USRPRIV(privilege,logging option)

where:

  • privilege is the privilege that is to be validated. Privilege can be one of the following values:

ANY_ADMINISTRATOR

The ANY_ADMINISTRATOR privilege test verifies that the user is user zero or a system manager.

CHANGE_FILE_PASSWORD

CHANGE_LOGIN_PASSWORD

OVERRIDE_RECORD_SECURITY

SUPER_USER

SYSTEM_ADMINISTRATOR

SYSTEM_MANAGER

  • logging option specifies whether Model 204 should indicate that an error message should be issued for security violations:

LOG indicates that any privilege violation is logged.

NOLOG indicates that the privileges should be determined but any violation found is not logged.

Currently, the logging option affects only the Security Server (formerly RACF) or Top Secret interface. The option has no effect on Model 204; the ACF2 Interface always logs a security violation regardless of the logging option.

LOG is the default if a logging option is not specified.

$USRPRIV returns a numeric true/false value indicating the result of the authorization check as follows:

Value User is...
0 Not authorized for the privilege or an unknown privilege name is specified.
1 Authorized for the specified privilege.

Example

The following statement could be used to test if the current user ID is authorized as a system manager.

IF $USRPRIV('SYSTEM_MANAGER','NOLOG') THEN . . . * PERFORM SYSTEM MANAGER AUTHORIZED CODE END IF * ELSE UNAUTHORIZED FOR SYSTEM MANAGER FUNCTIONS

$USRPRIV and apsys

Generally speaking, $USRPRIV will return a value based upon the user's privileges. However, if $USRPRIV is called from within apsy code, then apsy privileges may override stanadard user privileges, as follows..

  • If apsy privileges have been set, then $USRPRIV will return a value based upon the apsy privileges , rather than the user's privileges
  • If start login privileges have been set for the apsy, and $USRPRIV is called from within the apsy initialization procedure, then it will return a value based upon the start login privileges.
  • If the user's sclass has privileges set, then these will override standard apsy privileges for the user, and $USRPRIV will return a value based upon the sclass privileges.