|
The RACXTRT macro is used to retrieve or replace certain specified
fields from a RACF® profile
or to encode certain clear-text (readable) data.
This macro is only available to authorized callers (APF-authorized,
in system key 0–7, or in supervisor state).
When activated, automatic direction of application updates propagates
RACXTRT TYPE=REPLACE requests on to selected remote nodes. Only RACXTRT
TYPE=REPLACE requests with return code 0 are propagated. Note: - Encoding, replacement, and extraction are mutually exclusive.
- Only callers in 24-bit addressing mode can issue this macro. Callers
executing in 31-bit addressing mode who want to use the RACXTRT function
can code the RACROUTE macro.
The following RACXTRT functions are Programming Interfaces: - Retrieving or updating fields in any other product segment (including
WORKATTR) in the user, group and resource profiles.
- Retrieving or updating the following installation-reserved fields:
- USERDATA
- USRCNT
- USRDATA
- USRFLG
- USRNM
- Retrieving the current or a specified user's default group or
password.
The following RACXTRT function is part of the Programming Interface
but is not recommended for use because the macro is not going
to be enhanced in future releases. - Retrieving or updating fields in the base segment of a user, resource,
or group profile.
The standard form of the RACXTRT macro is written as follows:
|
|
---|
|
name |
name: Symbol. Begin name in
column 1. |
|
|
␢ |
One or more blanks must precede RACXTRT. |
|
|
RACXTRT |
|
|
|
␢ |
One or more blanks must follow RACXTRT. |
|
|
|
TYPE=EXTRACT TYPE=EXTRACTN TYPE=REPLACE TYPE=ENCRYPT |
|
|
|
,ENTITY=profile name |
profile name addr: A-type
address, or register (2) – (12) |
addr |
|
|
|
,ACEE=acee-address |
acee: A-type address, or
register (2) – (12) |
|
|
,VOLSER=volser-address |
vol address: A-type address,
or register (2) – (12) |
|
|
,GENERIC=ASIS |
|
,GENERIC=YES |
Default: ASIS |
|
|
,FLDACC=YES |
|
,FLDACC=NO |
Default: NO |
|
|
If TYPE=EXTRACT or EXTRACTN
is specified: |
|
|
,SUBPOOL=subpool |
subpool number: Decimal digit,
0–255 |
|
Default: SUBPOOL=229 |
number |
|
|
|
,DERIVE=‘YES’ |
See explanation of keyword. |
|
Default: Normal processing |
|
|
,CLASS=‘class name’ |
class name: 1–8 character
class name |
,CLASS=class name addr |
class name addr: A-type address
or register (2) – (12) |
|
Default: ‘USER’ |
|
|
,SEGMENT=‘segment |
segment name: 1–8 character
name |
name’ |
|
,SEGMENT=segment |
segment name addr: A-type
address or register (2) – (12) |
name addr |
|
|
|
,FIELDS=field addr |
field addr: A-type address
or register (2) – (12) |
|
|
If TYPE=REPLACE is specified: |
|
|
,CLASS=‘class name’ |
class name: 1–8 character
class name |
,CLASS=class name addr |
class name addr: A-type address
or Register (2) – (12) |
|
Default: ‘USER’ |
|
|
,SEGMENT=‘segment |
segment name: 1–8 character
name |
name’ |
|
,SEGMENT=segment |
segment name addr: A-type
address or register (2) – (12) |
name addr |
|
|
|
,FIELDS=field addr |
field addr: A-type address
or register (2) – (12) |
|
|
,SEGDATA=segment |
segment data addr: A-type
address or register (2) – (12) |
data addr |
|
|
|
If TYPE=ENCRYPT is specified: |
|
|
,ENCRYPT=(data |
data address: A-type address
or register (2) – (12) |
address,DES) |
|
,ENCRYPT=(data |
|
data address,HASH) |
|
,ENCRYPT=(data |
|
address,INST) |
|
Note: If TYPE=ENCRYPT is specified,
the only other allowable parameters are ENTITY, RELEASE, ENCRYPT,
with ENCRYPT being required.
|
|
The parameters are explained as follows: - TYPE=EXTRACT
- specifies the function to be performed by the extract function
routine.
With Release 1.8 and later, RACXTRT can provide additional
function: it can extract information from any field in any profile.
See RACF database templates for a definition of the type and
name of each field in each profile. If you specify EXTRACT, the macro
extracts information from the profile determined by the ENTITY and
CLASS keywords. Specifically, RACF extracts
the fields specified in the FIELDS keyword from the segment specified
by the SEGMENT keyword. If you do not specify ENTITY, RACF retrieves the desired information from
the current user's profile.
To use TYPE=EXTRACT to extract field
information from a profile, you must specify RELEASE=1.8 or later. Note: If
you specify TYPE=EXTRACT, do not specify ENCRYPT.
Upon
return, register 1 contains the address of a result area that begins
with a fullword containing the area's subpool number and length. It
is your responsibility to issue a FREEMAIN to release the area after
you are through using it.
The fields in the result area are
in the order below:
Offset (Dec) |
Data |
Length (Dec) |
---|
0 |
Subpool of area |
1 |
1 |
Length of area |
3 |
4 |
Offset to start of optional field to contain segment data |
2 |
6 |
Flag |
1 |
7 |
Reserved |
17 |
24 |
Specified or current user's user ID, if CLASS=USER |
8 |
32 |
Specified user's default connect group or current user's current
connect group, if CLASS=USER |
8 |
In general, RACF returns
field data in the order it was specified, with a 4-byte length field
preceding each profile field. For example, if you are extracting a
single field, you receive a 4-byte length field that contains the
length of the field that follows. If the requested field is a variable
length field, there is no additional length byte.
If you are extracting a combination field (representing one or
more fields), you receive: - A 4-byte length field that contains the combined length of all
the fields that follow
- A combination field made up of 4-byte length fields followed by
their respective individual data fields.
If you are extracting a single field within a repeat group, you
receive: - A 4-byte length field that contains the combined length of all
the fields that follow.
- A 4-byte length field that indicates the length of the specified
field in the first occurrence of the repeat group. This is followed
by a 4-byte length field that indicates the length of the specified
field in the second occurrence of the repeat group. The pattern repeats
until all the occurrences of the repeat group are accounted for.
If you are extracting a combination field (representing one or
more fields) within a repeat group, you receive: - A 4-byte length field that contains the combined length of all
the fields that follow.
- A combination field consisting of a 4-byte length field indicating
the length of the individual data field that follows it, followed
by the next 4-byte length field indicating the length of the next
individual data field. The pattern repeats until all the individual
fields that make up the combination field are accounted for. At the
next occurrence of the repeat group the pattern begins again.
Specifying the name of a repeat-group count field retrieves only
the 4-byte length followed by the 4-byte repeat group count.
When a field to be extracted is empty, the following results: - For fixed-length fields, RACF returns
the default as specified by the template definitions. The default
for flag fields is X'00'. The default for fixed-length fields
in the base segment of the profile in binary ones. The default for
fixed-length fields in other segments is binary zeros.
- For variable-length fields, RACF returns
a length of zero and no data.
If CLASS=USER, when you specify EXTRACT,
the macro extracts the user ID, connect group and, optionally, the
encoded password from the user profile.
- TYPE=EXTRACTN
- specifies the function to be performed by the EXTRACT function
routine.
Note: If you specify TYPE=EXTRACTN, do not specify ENCRYPT=.
Upon
return, register 1 contains the address of a result area that begins
with a fullword containing the area's subpool number and length. To
see the format of the result area, see the explanation of TYPE=EXTRACT,
above. At offset 6 in the result area, there is a flag. If the flag
has a X'80', the name returned is generic.
If you specify
EXTRACTN, the macro extracts information from the profile that follows
the profile determined by the ENTITY and CLASS keywords. From that
next profile, RACF extracts
the fields specified in the FIELDS keyword from the segment specified
by the SEGMENT keyword. In addition, RACF returns
the name of the profile from which it extracted the data.
- TYPE=REPLACE
- specifies the function to be performed by the EXTRACT function
routine.
Note: If you specify TYPE=REPLACE, do not specify ENCRYPT=.
Use
of the REPLACE option to update a profile requires a thorough knowledge
of the interrelationships of fields within a profile and of the potential
relationships between profiles. For instance, if you use RACXTRT to
update a password, you should also update the password change date
and password history information.
If you specify TYPE=REPLACE, RACF takes the information in the
fields specified in the FIELDS parameter and pointed to by SEGDATA,
and places that information in the designated SEGMENT. (The SEGMENT
is within the profile determined by the ENTITY and CLASS keywords.)
If you specify TYPE=REPLACE, you must specify FIELDS, SEGDATA=, and
RELEASE=1.8 or later. If you want to replace a segment other than
the base segment, you must specify the SEGMENT keyword with the segment
you want. If you do not specify SEGMENT, the segment defaults to the
base segment.
With 1.8 and later, if you want to create a TSO
segment, you can do so by specifying the RACXTRT macro in the following
way: TYPE=REPLACE SEGMENT=TSO
- ,SUBPOOL=subpool number
- specifies the storage subpool from which the extract-function
routine obtains an area needed for the extraction. If this parameter
is not specified, it defaults to 229.
Note: Care should be taken in
selecting a subpool. Selecting a fetch-protected subpool or subpool
0 might result in programs being unable to access or free retrieved
data.
- ,DERIVE=YES
- specifies that the desired field is obtained from the DFP segment
of the appropriate profile. To specify DERIVE, you must also specify
RELEASE=1.8.1.
DERIVE requests are limited to the DFP segment of
the data set and user profiles. The following information is an explanation
of the DERIVE processing for both DATASET and USER requests. - DATASET
Specifying the DERIVE=YES keyword with CLASS=DATASET
and FIELDS=RESOWNER causes RACF to
perform additional processing, other than simply extracting the data
set resource owner from the data set profile.
DFP uses this
retrieved information for authority checking when allocating a new
data set.
To process the request, RACF first
attempts to extract the RESOWNER field from the DATASET profile specified
by the ENTITY keyword. If the profile exists and the RESOWNER field
contains data, RACF checks
to see whether that data is the user ID of a USER or GROUP currently
defined to RACF. If so, RACF returns that user ID along
with a reason code that indicates whether the user ID is that of a
USER or GROUP.
If RACF does
not find a profile that matches the data set name specified by the
ENTITY keyword, RACF attempts
to locate the generic data set profile that protects that data set
name.
If it finds the generic profile, and the RESOWNER field
contains data, RACF checks
to see whether that data is the user ID of a USER or GROUP currently
defined to RACF. If so, RACF returns that user ID along
with a reason code that indicates whether the user ID is that of a
USER or GROUP.
If RACF does
not find a generic profile or the retrieved data is neither a USER
nor a GROUP, RACF returns the
high-level qualifier from the name specified on the ENTITY keyword,
along with a reason code that indicates whether that high-level qualifier
matches a defined USER or GROUP, or neither.
You specify a DERIVE
request for RESOWNER as follows: RACROUTE REQUEST=EXTRACT,TYPE=EXTRACT,
ENTITY=DSNAME,
VOLSER=MYDASD,
CLASS='DATASET',
FIELDS=RESFLDS,
SEGMENT='DFP',
DERIVE=YES,
RELEASE=1.8.1
⋮
DSNAME DC CL44'USER1.DATASET'
MYDASD DC CL6'DASD1'
RESFLDS DC A(1)
DC CL8'RESOWNER'
Note: You must specify all
the keywords in the example, for the DERIVE request to work.
- User
The purpose of specifying the DERIVE=YES keyword with
CLASS=USER is to obtain the desired DFP-field information (STORCLAS
or MGMTCLAS) from the profile of the user. If the user's profile does
not contain the desired DFP fields, RACF goes
to the user's default group and attempts to obtain the information
for the remaining fields from the GROUP profile (the remaining fields
being those that do not contain information in the USER profile).
You
specify a DERIVE request for information from a USER profile as follows: RACROUTE REQUEST=EXTRACT,TYPE=EXTRACT,
ENTITY=USER01,
CLASS='USER',
FIELDS=STRFLDS,
SEGMENT='DFP',
DERIVE=YES,
RELEASE=1.8.1
⋮
USER01 DC CL8'USER01'
STRFLDS DC A(1)
DC CL8'STORCLAS'
RACF processes
the DERIVE keyword only if it is specified with the DATASET or USER
class. In addition, for DERIVE processing to occur, SEGMENT=DFP and
RELEASE=1.8.1 must also be specified.
- ,FIELDS=address
- Specifies the address of a variable-length list. The first field
is a 4-byte field that contains the number of profile-field names
in the list that follows. Each profile-field name is 8 bytes long,
left-justified, and padded to the right with blanks. The allowable
field names for each type of profile are in the template listings
in RACF database templates. To see how to specify the FIELDS
keyword, see the TYPE=REPLACE example that follows.
- If you specify RELEASE=1.6 or later, or allow the keyword to default,
the following options exist:
- The only acceptable value of the count field is 1.
- The only acceptable field name is PASSWORD. Use this parameter
when you want to extract the user's encoded password in addition to
the user ID and connect group. RACF returns
the encoded password in the result area at an offset from the start
of the area specified by the halfword at offset 4. (See the result
area under TYPE=EXTRACT.)
- If you specify RELEASE=1.8 or later, the following options exist:
- The count field can contain numbers from 1 through 255.
- The field names can be any of the field names in the template
listings.
If you specify TYPE=EXTRACT or EXTRACTN, RACF retrieves the contents of the named fields
from the RACF profile indicated
by the CLASS= and ENTITY= parameters, and returns the contents in
the result area. (See result area explained under the EXTRACT keyword.)
With
Release 1.8, you can specify TYPE=REPLACE. RACF replaces or creates the indicated fields
in the profile specified on the CLASS and ENTITY keywords with the
data pointed to by the SEGDATA keyword.
Note: - Do not replace a repeat group count field. Doing so causes unpredictable
results.
- You cannot replace an entire repeat group, a single occurrence
of a repeat group, or a single existing field in a repeat group. If
you attempt to do so, RACF adds
the data to the existing repeat group or groups.
The only things
you can do is retrieve all occurrences of specified fields within
a repeat group or add a new occurrence of a repeat group.
- If you add occurrences of a repeat group, RACF places those additions at the beginning
(front) of the repeat group.
The following example of TYPE=REPLACE replaces fields
in the base segment. It shows one way to code the macro and the declarations
necessary to make the macro work. RACXTRT TYPE=REPLACE,
CLASS='USER',
ENTITY=USERID,
FIELDS=FLDLIST,
SEGDATA=SEGDLIST,
SEGMENT=BASE
⋮
USERID DC CL8,'BILL'
FLDLIST DC A(3)
DC CL8'AUTHOR'
DC CL8'DFLTGRP'
DC CL8'NAME'
SEGDLIST DC AL4(6),CL6'JSMITH'
DC AL4(8),CL8'SECURITY'
DC AL4(11),CL11'BILL THOMAS'
BASE DC CL8'BASE'
When the replacement
action takes place, the following results occur: - JSMITH is placed in the AUTHOR field in the profile.
- SECURITY is placed in the DFLTGRP field in the profile.
- BILL THOMAS is placed in the NAME field in the profile.
The following example of TYPE=EXTRACT retrieves the universal
access from a fully-qualified generic data set profile. The information
is retrieved in a work area created in SUBPOOL 1. RACXTRT TYPE=EXTRACT,
CLASS='DATASET',
ENTITY=DSN,
FIELDS=FLDS,
GENERIC=YES,
SUBPOOL=1
RELEASE=1.8,
SEGMENT='TSO'
⋮
DSN DC CL44'SYS1.LINKLIB'
FLDS DC A(1)
DC CL8 'UACC'
- TYPE=ENCRYPT
- specifies the function to be performed by the extract-function
routine.
If TYPE=ENCRYPT is specified, the operation performed
is data encoding. The ENCRYPT keyword specifies the data to be encoded
and the encoding method used. The first eight bytes of the area pointed
to by the ENTITY operand are used by the data encryption standard
(DES) encoding routine. If ENTITY is not specified, the user ID from
the current ACEE is used instead. If TYPE=ENCRYPT is specified, no
work area is returned.
- ,ENCRYPT=(data address,DES)
- ,ENCRYPT=(data address,HASH)
- ,ENCRYPT=(data address,INST)
- specifies the data to be authenticated, and a method of authentication.
The address points to a 1-byte length field followed by 1 to 255 bytes
of clear-text data to be used as the user-authentication key. The
second subparameter specifies the authentication method: the RACF data encryption standard algorithm,
the RACF hashing algorithm,
or whatever scheme the installation uses (INST value). Upon return
to the macro issuer, the first subparameter contains the address of
an area that contains a 1-byte length followed by the encoded version
of the data. Neither the address itself nor the length is changed.
Note: When
the DES algorithm is used, RACF actually
encrypts the data pointed to by the ENTITY profile or by the user
ID, using the data as the encryption key. Data is one-way encrypted,
that is, no facility is provided to recover the data in readable form.
If HASH is specified, the RACF hashing
algorithm is used and data is masked instead of encrypted.
- ,ENTITY=resource name address
- specifies the address of an area containing the resource name.
The resource name is a 44-byte DASD data set name for CLASS=‘DATASET’,
an 8-byte area containing the user ID for CLASS=‘USER’, an 8-byte
area containing the group name for CLASS=‘GROUP’, or a 17-byte area
for CLASS=‘CONNECT’. The length of all other resource names is determined
from the class descriptor table. The name must be left-justified in
the field and padded with blanks. For CLASS=‘USER’, the user ID from
the current ACEE or the ACEE specified for ACEE= is used if ENTITY=
is not specified.
- ,ACEE=acee address
- specifies an alternate ACEE for RACF to
use rather than the current ACEE. For example, if the ENTITY parameter
has not been specified, RACF refers
to the ACEE during extract processing of user data. If you want to
use the ACEE parameter, you must specify RELEASE=1.8 or later.
- ,VOLSER=vol-address (valid only with ,CLASS=‘DATASET’)
- specifies the volume serial as follows:
- For MVS/VSAM DASD data sets and tape data sets, specifies the
volume serial number of the catalog controlling the data set.
- For non-VSAM DASD data sets and tape data sets, specifies the
volume serial number of the volume on which the data set resides.
The field pointed to by the vol-address variable
contains the volume serial number. If necessary, you must pad it to
the right with blanks so it contain six characters.
If you specify
VOLSER, you must specify RELEASE=1.8 or later.
- ,GENERIC=ASIS|YES
- When CLASS is DATASET, specifies whether RACF is to treat the entity name as a generic
profile name.
- If GENERIC=YES is specified, the resource name is considered a
generic profile name, even if it does not contain a generic character:
an asterisk (*) or a percent sign (%). If you specify
GENERIC=YES, the resource name in the macro will match only a generic
resource name in the RACF database.
It will not match a discrete name.
- If GENERIC=ASIS is specified, the resource name is considered
a generic only if it contains a generic character: an asterisk (*)
or a percent sign (%).
If you specify GENERIC, you must specify RELEASE=1.8 or later.
- ,FLDACC=NO|YES
- specifies whether field-level access checking should be performed.
If you specify FLDACC=YES, the RACF database
manager checks to see that the user running your program has the authority
to extract or modify the fields that are specified in the RACXTRT
macro.
Note: - For field-level access checking to occur, you must specify RELEASE=1.8
or later when you code the macro. In addition, before the program
executes, the security administrator must activate and RACLIST the
FIELD class using the SETROPTS command. If you code FLDACC=YES and
the FIELD class is not active and RACLISTed, the request is failed
with a return code 8, reason code 4.
- In addition, the security administrator must issue the RDEFINE
and PERMIT commands to designate those users who have the authority
to access the fields designated in the RACXTRT macro.
- If you specify FLDACC=NO or omit the parameter, the manager ignores
field-level access checking.
- ,CLASS=‘class name’
- ,CLASS=class name addr
- specifies the class the entity is in. The class name can be USER,
GROUP, CONNECT, DATASET, or any general-resource class defined in
the class descriptor table. If you specify CLASS, you must specify
RELEASE=1.8 or later.
- ,SEGMENT=‘segment name’
- ,SEGMENT=segment name address
- specifies the RACF profile
segment that RACF is to update
or from which it is to extract data. If you specify SEGMENT, you must
also specify the CLASS and FIELDS keywords, and RELEASE=1.8 or a later
release number. If you allow the SEGMENT parameter to default, RACF assumes that you want to extract
information from the base segment.
- ,SEGDATA=segment data addr
- specifies the address of a list of data items to be placed in
the fields named by the FIELDS= parameter. You use the SEGDATA parameter
when you specify TYPE=REPLACE. If you specify SEGDATA, you must also
specify CLASS, FIELDS, and RELEASE=1.8 or a later release number.
The stored data is paired in the following format:
- A 4-byte length field that contains the length of the data field
that follows
- A data field of variable length.
Each length field is followed immediately by a data field until
you reach the end of the replacement data. The count field, which
is pointed to by the first field in the FIELDS parameter, contains
the total number of length-data pairs.
|