Whenever a RACROUTE REQUEST=AUTH is issued, RACF® performs normal authorization checking
for access to a data set. In other words, RACF grants the request if the UACC is sufficiently
high, if the user's user ID is in the access list with sufficient
authority, and so forth. If the user is not granted access to the
data set with normal authorization checking, RACF checks the data set's conditional access
list if program control is active and the program currently executing
is executing as a RACF-controlled program in a clean environment.
RACF authorizes the user
to open the program-accessed data set with the currently executing
program if all of the following conditions are met:
- The conditional access list contains the name of the currently
running program, the name of the first program currently running in
the current task (TCB), or the name of the first program currently
running in a parent task, with the requested level of access or higher.
- The user's group or user ID is associated with the program name
in the conditional access list.
- The current program environment (job step, or task established
under TSO/E using TSOEXEC or IKJEFTSR) is controlled. In other
words, it has not loaded an uncontrolled program. If either of these
conditions are not met, the environment is considered uncontrolled.
The user's attempt to open the program-accessed data set fails and
the task ends with abend code 913. RACF issues
message ICH417I, specifying what caused the environment to become
uncontrolled.
- If the job step or TSO session is running in ENHANCED program
security mode, one of the following is true:
- The current environment (job step or task created by TSOEXEC or
IKJEFTSR) first ran a program defined with the 'MAIN' attribute.
- The current program running in the current task, or the first
program run in the current task or a parent task, has the BASIC attribute.
If neither of these conditions is met, the user's attempt to
open the program-accessed data set fails and the task ends with abend
code 913. RACF issues message
ICH426I, specifying the non-MAIN program that established the current
environment.
- If there is more than one controlled program running in the current
environment (job step or task created by TSOEXEC or IKJEFTSR),
all of those programs defined with the PADCHK attribute have conditional
access list entries allowing them to access the data set. If one or
more programs in the environment are not authorized, the attempt fails
and the task terminates with abend code 913. RACF issues message ICH418I specifying one or
more programs that were missing from the conditional access list.
Note: If a TSO user has executed a non-controlled program during
the current session, and then attempts to access a program-accessed
data set, the attempt fails. The TSO user can either log off and log
back on, or temporarily regain a controlled environment by invoking
the controlled program through the
TSOEXEC command. When writing
a program, you can do the equivalent by invoking the TSO IKJEFTSR
service. For information on using the IKJEFTSR service, see
z/OS TSO/E Programming Guide.