FRACHECK - Fast Path Resource Authorization Checking

The FRACHECK macro is used to check a user's authorization for access to a resource.

FRACHECK verifies access to those resources whose RACF profiles have been brought into main storage by the RACLIST facility. FRACHECK is a branch entered service that does not save registers upon entry. Registers 0-5, 14, and 15 are used by the FRACHECK macro instruction and are not restored. Registers 6-13 are not altered by FRACHECK.

Note: For RACF release 1.6 and previous releases: Only callers in 24-bit addressing mode can issue this macro. Callers executing in 31-bit addressing mode, who want to use the

FRACHECK function, can code the RACROUTE macro.

The standard form of the FRACHECK macro instruction is written as follows:

name

One or more blanks must precede FRACHECK.

One or more blanks must follow FRACHECK.

entity addr: A-type address or register (2) - (12).

c/assname: DASDVOL or T APEVOL.

c/assname addr: A-type address or register (2) - (12).

reg: registers (2) - (12).

The parameters are explained as follows:

ENTITY = entity addr

specifies that RACF authorization checking is to be performed for the resource whose name is pointed to by the specified address. The resource name is a 6-byte volume serial number for CLASS = 'DASDVOL' or CLASS = 'T APEVOL'. The name must be left justified and padded with blanks. The length of all other resource names is determined from the class descriptor tables.

,CLASS = 'classname' ,CLASS

=

classname addr

specifies that RACF authorization checking is to be performed for a resource of the specified class. If an address is specified, the address must point to an 8-byte field containing the classname.

FRACHECK - Fast Path Resource Authorization Checking 169

,ATTR=READ ,ATTR=UPDATE ,ATTR = CONTROL ,ATTR = ALTER ,ATTR = (reg)

specifies the access authority required by the user or group accessing the resource:

READ - RACF user or group can open the resource only to read.

UPDATE - RACF user or group can open the resource to read or write.

CONTROL - For VSAM data sets, RACF user or group has authority equivalent to the VSAM control password. For non-VSAM data sets and other resources, RACF user or group has UPDATE authority.

ALTER - RACF user or group has total control over the resource.

If a register is specified, the register must contain one of the following codes in the low-order byte of the register:

X'02'-READ X'04'-UPDATE X'08' - CONTROL X'80' - ALTER ,ACEE = acee addr

specifies the address of the accessor control environment element (ACEE) to be used to check authorization and to locate the in-storage profiles (RACLIST output) for the specified classes. If an ACEE is specified, it is used for authorization checking. If the specified ACEE has an in-storage profile list for the specified class, it is used to locate the resource. If an ACEE is not specified or if there is no in-storage profile list for the specified class in the ACEE, RACF uses the TASK ACEE pointer in the extended TCB called the TCBSENV. Otherwise, or if the TASK ACEE pointer is zero, RACF uses the main ACEE to obtain the list of the in-storage profiles. The main ACEE is pointed to by tne ASXBSENV field of the address space extension block.

,WKAREA

=

area addr

specifies the address of a 16 word work area to be used by FRACHECK which contains the following information:

Word 13 contains the return code the FRACHECK caller receives.

Word 14 contains the address of the in-storage profile used to determine authorization, or zero if no profile was found.

Word 15 contains a value provided by a pre-processing installation exit, or zero if there was no pre-processing exit.

Workarea words 13 and 14 are passed back to the FRACHECK issuer as a return code in register 15 (see return codes below) and a profile address in register 1, respectively.

170

Supervisor Services and Macro Instructions

,APPL = lapplname' ,APPL = applname addr

specifies the name of the application requesting the authorization checking. This information is not used for the authorization checking process but is made available to the installation exit(s}. If an address is specified, it should point to an 8-byte area containing the application name, left justified and padded with blanks, if necessary.

,INSTLN = parm list addr

specifies the address of an area that contains information for the FRACHECK

installation exit. This address is passed to the exit routine when the exit is given control.

The INSTLN parameter is used by application or installation programs to pass information to the FRACHECK installation exit.

,RELEASE = number

specifies the RACF release level of the parameter list to be generated by this macro.

Certain parameters can be specified only with particular releases. If you specify a parameter with an incompatible release level, the parameter will not be accepted by the macro processing. An error message will be issued at assembly time. For the parameters that are valid for RELEASE = 1.6 and later, see Figure 58.

The default is RELEASE = 1.6.

When you specify the RELEASE keyword, checking is done at assembly time.

Execution-time validation of the compatibility between the list and execute forms of the FRACHECK macro can be done by your specifying the CHECK subparameter on the execute form of the macro.

Parameters For RELEASE = 1.6 and Later

The RELEASE values for which a specific parameter is valid are marked with an 'X'.

Parameter RELEASE = RELEASE =

1.6 1.7

ACEE= X X

APPL= X X

ATTR= X X

CLASS = X X

ENTITY = X X

INSTLN= X X

RELEASE = X X

WKAREA= X X

Figure 58. FRACHECK Parameters for RELEASE = 1.6 and Later

FRACHECK - Fast Path Resource Authorization Checking 171

Return Codes and Reason Codes

When control is returned, register 15 contains·one of the following return codes:

Hexadeeimal

Code Meaning

00 The user or group is authorized to use the resource.

04 The resource or classname is not defined to RACF, 08 The user or group is not authorized to use the resource.

OC RACF is not active.

10 FRACHECK installation exit error occurred.

14 RACF CVT does not exist (RACF is not installed or insufficient level of RACF is installed).

64 Indicates that the CHECK subparameter of the RELEASE keyword was specified on the execute form of the FRACHECK macro; however, the list form of the macro does not have the proper RELEASE parameter. Macro processing terminates.

172 Supervisor Services and Macro Instructions

FRACHECK (List Form)

The list form of the FRACHECK macro instruction is written as follows:

name b

FRACHECK b

ENTITY = entity addr ,CLASS = 'c/assname' ,CLASS = c/assname addr ,ATTR=READ ,ATTR = UPDATE ,ATTR = CONTROL ,ATTR = ALTER ,ACEE = acee addr ,WKAREA = area addr ,APPL = 'applname' ,APPL = applname addr ,INSTLN = parm list addr ,RELEASE = number ,MF=L

name: symbol. Begin name in column 1.

One or more blanks must precede FRACHECK.

One or more blanks must follow FRACHECK.

entity addr: A-type address.

c/assname: DASDVOL or TAPEVOL.

c/assname addr: A-type address.

Default: A TTR = READ

acee addr: A-type address.

area addr: A-type address.

applname addr: A-type address.

parm list addr: A-type address.

number: 1.6 or 1.7 Default: RELEASE = 1.6

The parameters are explained under the standard form of the FRACHECK macro instruction, with the following exception:

,MF=L

specifies the list form of the FRACHECK macro instruction.

FRACHECK (List Form)

173

FRACHECK (Execute Form)

The execute form of the FRACHECK macro instruction is written as follows:

name

One or more blanks must precede FRACHECK.

One or more blanks must follow FRACHECK.

entity addr: RX-type address or register (2) - (12).

The parameters are explained under the standard form of the FRACHECK macro instruction, with the following exception:

,MF= (E,ctrl addr)

specifies the execute form of the FRACHECK macro instruction, using a remote control program parameter list.

,RELEASE = (number, CHECK) ,RELEASE = number

,RELEASE = (,CHECK)

specifies the RACF release level of the parameter list to be generated by the is macro.

Certain parameters can be specified only with particular releases. If you specify a parameter with an incompatible release level, the parameter will not be accepted by the macro processing. An error message will be issued at assembly time. For the parameters that are valid for RELEASE

=

1.6 and later, see Figure 58 on page 171.

The default is RELEASE = 1.6.

When you specify the RELEASE keyword, checking is done at assembly time.

Execution-time validation of the compatibility between the list and execute forms of the FRACHECK macro can be done by your specifying the CHECK subparameter on the execute form of the macro.

When CHECK processing is requested, if the size of the list-form expansion is not large enough to accommodate all parameters defined by the RELEASE keyword on the execute form of the macro, the execute form of the macro will not be done. Instead, a return code of X/64' will be generated.

174 Supervisor Services and Macro Instructions

Dans le document ana Macro Instructions (Page 181-187)