SP24439 wrote:Hi Steve,
Thank you so much for replying in an understanding manner. My Id is NE3255A.(sorry i forgot to mention in previous post). I tried to compile hello world program in cics. But as this is my first time, I did some research in net and searched for DFHEITVL and checked for it and some other members so that I can compile it. I am not getting where my work went wrong which resulted in security violations.
Kindly tell the command to check the access before working on any data set.
I wish it will help lot of people so that they cannot commit these mistakes again.
Thank you Steve.
I checked back.
Some of your RACF violations were trying to use another user's datasets. Per Fandezhi policy, this is prohibited. Other violations were for system datasets, as you guessed. No user is allowed to look at, much less modify, the system datasets you attempted to access. In any event, as far as I know (I can't access them myself) none of the system datasets you attempted to access have anything to do with running CICS or any normal user program.
In the early 1980s, I was the lead sysprog for an ACF2 installation. Your question about pre testing for access occurred to me at that time, and I was unable to find anything. Some years later, after more experience, I came to realize that allowing this kind of pre testing is not a good idea: it's an open invitation to hackers. As far as I know, RACF has no way for a regular program to perform this kind of test, though I believe a system program can perform this kind of a test and effectively hide the fact the test was performed.
For some years I did program support for an ISV. One of our customers attempted this test in a defined exit for our product, The ability to do the test was not in question, but the customer screwed up the mechanics very badly in the code to prepare to call the security product. After consulting with my boss, I was allowed to write the test in the exit for our customer. It took me a half day, coupled with a lot of time with the manual, as I recall, to do the test correctly and another half day to install the exit in our product to actually perform the test to verify I was doing it correctly and not screwing up something else. FWIW, I did not believe at the time we had any business correcting customer code, but the boss said it was OK.
A regular Assembler program can prevent program termination following an access error, but the error cannot be hidden. I do not believe any high level language, including C, has this capability.
As it happens, a TSO user can use the RACF LISTDSD command to check access without the normal logging messages. If you get NOT AUTHORIZED TO LIST xxx, you are not authorized to do anything with the resource. If you get a screen's worth of RACF gibberish you have some sort of access.