'Re: RACROUTE Confusion'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       racf-l
Subject:    Re: RACROUTE Confusion
From:       Russell D Hardgrove <hardgrov () US ! IBM ! COM>
Date:       2011-04-13 19:13:34
Message-ID: OF483057F1.6CE3715B-ON85257871.0069496A-85257871.00699DD8 () us ! ibm ! com
[Download RAW message or body]

Patrick.  if you are doing a VERIFY to create an ACEE.  To pass to the
AUTH, insure that a THIRD call is done.    Another VERIFY to do an
ENVIR=DELETE.   Otherwsie you have a storage leak.

Third party AUTHs do have a performance advantage when the second and
subsequent calls are for the SAME userid.

The STAT=NO helps a lot with your VERIFY by cutting DOWN last access
updates (i.e WRITES) to the RACF DB.





.
--------------------------------------------------
Russ Hardgrove / RACF Lvl2
IBM - z/OS  Software Service
Dept. EC8A   Bldg. 707 - 2/F19
Poughkeepsie, NY  12601
hardgrov@us.ibm.com  845-435-3279
            or  295-3279 (T/L)
--------------------------------------------------
"RACF: Guilty, until proven innocent !!"    RdH 2004
"RACF, praesumitur malus donec probetur bonus"    RdH     MMX
<< Continually proving this (innocence) is not just a JOB, it's an
-ADVENTURE-   :-b  .. >>
...



From:
Patrick Roehl <uga@ROEHL-CONSULTING.COM>
To:
RACF-L@LISTSERV.UGA.EDU
Date:
04/13/2011 02:41 PM
Subject:
Re: RACROUTE Confusion



Walt - Thank you for your suggestions.  They generated a couple of
questions.

>Hayim has already provided the answer to your question, but I thought I'd
>mention that you could do this more easily using a 3rd-party RACROUTE
>REQUEST=AUTH, where you specify the user ID of interest on the AUTH call
>and let RACF worry about doing the VERIFY.

I didn't see how this could be done with one call because the REQUEST=AUTH
doesn't seem to take a password.  Is a user ID alone (with no password)
sufficient?

>But if you do want to issue the VERIFY yourself, you should probably
>specify STAT=NO so you do not make it appear as though the user has
>actually used the system.

STAT=NO is my plan, now that the basic logic is working.

Is there a performance, or any other, benefit to using a separate VERIFY
call or combine it into one AUTH call?

>Also, if the class happens to be DATASET you need more information on the
>AUTH if you want the best chance of getting the correct answer, including
>the proper RACFIND value, the kind of data set (VSAM, or non-VSAM), and
>the proper volser (and it's more complex for tape data sets, and for VSAM
>than non-VSAM).

As it happens, this is not a DATASET class.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic