The ICHCNXOO exit, invoked by RACF commands and the ICHUTIOO utility, allows an installation to perform additional security checks, to further enhance or restrict the RACF limitations on the passed commands, or to modify or eliminate the RACF DASD data set naming convention. Because corresponding processing might be required in the RACDEF preprocessing exit and the RACHECK pre/postprocessing exits, RACF passes these exits a parameter list with similar structure and content to allow similar routines to be used.
RACF calls the naming convention processing routine before ICHCNXOO receives control.
On entry to the ICHCNXOO preprocessing exit routine (called from the ADDSD, ALTDSD, DELDSD, PERMIT, LISTDSD, and SEARCH commands, and from the ICHUTIOO utility), register 1 contains the address of the following area.
Notes:
1. Because the parameter list passed to the exit is also passed to the RACDEF preprocessing exit anti the RACHECK pre/postprocessing exit, the address of
the following area is also contained in:
• The fullword at offset 40 of the parameter list pointed to by register 1 on entry to the RACDEF preprocessing and postprocessing exits
• The fullword at offset 60 of the parameter list pointed to by register 1 on entry to the RACHECK preprocessing and postprocessing exits
2. For a rename request, the ICHCNXOO parameter list contains both the old and
Length address: points to a fullword containing the number of fullwords in this parametet: list.
Caller addresS: points to a 2-byte field containing a function code and subfunction code identifying the caller: X'0601' - LISTDSD prelocate call X'0602' - LISTDSD DATASET X'0603' - LISTDSD ID or PREFI X
8 4
Authority flag address: points to a I-byte field containing the user's authorization to the requested function:
X'08' - READ
X'80' - ALTER or CREATE
In order to issue the SEARCH command for a data set a user requires at least READ authority. In order to issue LISTDSD for a data set specifying the AUTHUSER or ALL operands, the user must have ALTER authority or the equivalent.
Resource name address: points to a I-byte field containing the resource name length followed by a 44-byte area containing the resource name. The name is left-justified.
Old name address: points to a I-byte field containing the length of the name followed by a 44-byte area containing the name of the data set that was renamed.
The name is left-justified.
Volume serial address: points to an area containing a I-byte count field followed by a variable number of 6-byte fields containing volume serial identifiers, each left-justified and padded on the right with blanks.
Old volume serial address: points to a 6-byte ar~a containing the volume serial identifier, left-justified and padded on the right with blanks.
Resource class name address: points to an 8-byte field containing the resource class name (DATASET). See the notes for theLISTDSD and SEARCH commands in Figure 7-2.
Qualifier address: points to an 8-byte field containing the data set qualifier. The qualifier is left-justified and padded on the right with blanks. This value is initialized to the high-level qualifier of the data set with the exceptions noted in Figure 7-2. If the exit changes the value, processing proceeds with the changed value. For ADDSD, RACDEF DEFINE, and RACDEF RENAME, RACF determines if the value is a userid or a group defined to RACF. For the other commands and ICHUTlOO, RACF determines if the value is a userid.
Data set type address: points to a I-byte flag field indicating the type of data set:
X'OI' - unknown X'40' - group data set X'80' - user data set
The use of this field is explained in more detail in the following topic, "Return Codes - Command Preprocessing Exit ICHCNXOO."
Authority address: points to a I-byte flag field containing the authority granted by the exit:
X'Ot' - None X'80' - ALTER
As noted in Figure 7-2, this field is used only for the LISTDSD command. It is intended for those cases when the exit gives the user the authority to list the data set description, which requires READ authority, but not list the access list, which requires ALTER authority.
CPPL address: points to the command processor parameter list (mapped by the IKJCPPL macro instruction). The CPPL can be used to prompt or send messages to a TSO user. As noted in Figure 7-2, the address is zero in non-TSO cases.
The caller (indicated by the function and subfunction codes pointed to by the fullword at offset 4 in the parameter list) determines which parameters are passed
~o the exit routine and which parameters can be changed by the exit routine. See Figure 7-2 for a summary of these parameters.
Chapter 7. RACF Installation Exits
7 -41
OFFSET
CALLER 0 4 8 12 16 20 24 28 32 36 40 44
RACHECK P P P C 0 C 0 P C 0 0 0
RACDEF DEFINE P P P C 0 C 0 P C C 0 0
RENAME P P P C C C 0 P C C 0 0
ADDVOL P P P C 0 C C P C 0 0 0
DELETE P P P C 0 C 0 P C 0 0 0
ADDSD SET P P P C 0 p3 0 P C C 0 P
NOSET P P P C 0 p3 0 P C C 0 p.
ALTDSD SET P P P C 0 p3 0 P C 0 0 P
NOSET P P P C 0 p3 0 P C 0 0 P
DELDSD SET P P P C 0 p3 0 P C 0 0 P
NOSET P P P C 0 p3 0 P C 0 0 P
LISTDSD prelocate P P P C1 0 P 0 P 0 0 0 P
DATASET P P P C 0 P 0 P C 0 C P
ID or PREFIX P P P C 0 P 0 P C 0 G P
PERMIT TO-resource P P P C 0 p3 0 P C 0 0 P
FROM -resource P P P C 0 p4 0 p C 0 0 P
SEARCH presearch P P P C2 0 0 0 p 0 0 0 p
postsearch P P P C 0 P 0 P C 0 0 P
ICHUTIOO P P P C 0 0 0 p C 0 0 0
p= the field is passed to the exit routine, and should not be changed by the exit routine.
C= the field is passed to the exit routine, and may be changed by the exit routine.
o = the field is not passed to the exit routine, and is indicated as zero.
Notes:
1 The field is set to the value specified (or defaulted to) on the
2 DATASET, ID, or PREFIX parameter.
The field is set to the value specified on the MASK parameter, or 3 to zero length if the NOMASK parameter was specified.
The field is nonzero only when the VOLUME parameter was specified.
4 The field is nonzero only when the FVOLUME parameter was specified.
Figure 7-2. ICHCNXOO Exit Parameter Processing