Monday, December 19, 2011

RACF: Find what kind of access you have to a dataset

Most installation have security reports which reports on dataset access violations by users. In client sites, one has to be extremely careful not to receive such violations, as someone from the higher management would be questioned as to why a particular violation happened. In most cases, we do not know if we have or do not have access to a particular dataset. We usually try to browse the dataset and when we get an ICH408I  message or system abend S913, we realize that we do not have access to the dataset. But this would be too late and we would have left our fingerprints in system logs and/or SMF.

The below simple REXX, which canbe used to verify if you have access to a particular dataset. It issues LISTDSD TSO command against the dataset and lets the user know if he/she has access to the dataset. Additionally, it also lets him/her know what kind of access he/she has and as a bonus, it provides the information about the RACF profile which protects the dataset (This is applicable only if the user has some access to the dataset).Note: This REXX caters to only RACF as a security product. If your site uses Top-Secret or ACF2, this REXX will not work.

/* Rexx */                                                             
/*- Find access to a dataset. -*/                                       
 say 'Enter dataset name'                                              
 PULL idsn                                                             
 idsn = strip(idsn)                                                    
 idsn="'"||strip(idsn,'B',"'")||"'"                                    
 access='NONE'                                                         
 x=outtrap('var1.')                                                    
 "listdsd da("idsn") auth"                                              
 x=outtrap('off')                                                      
 If var1.0 > 1 Then                                                    
    access=word(var1.17,1)                                             
 Else Do                                                               
   drop var1.                                                          
   x=outtrap('var1.')                                                  
   "listdsd da("idsn") gen auth"                                        
   x=outtrap('off')                                                    
   If var1.0>1 Then                                                
      access=word(var1.17,1)                                       
 End                                                                
 if access == 'NONE' then                                          
    msg="User has '"||access||"' to the dataset " idsn             
 else                                                               
   msg="User has '"||access||"' to the dataset " idsn "Profile ",  
 "'"||word(var1.1,4)||"' "||word(var1.1,5)                         
 say msg                                                           
 Exit                                                               

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.