ACEE: Accessor Environment Element
ACEE NOT programming interface information
The following fields are Not Programming Interface information:
- ACEEAMP
- ACEEMDLS
- ACEECGRP
- ACEECLCP
- ACEEGATA
- ACEEPADS
- ACEEOCOX
- ACEEPTDS
ACEESBVR
ACEE heading information
| Common name: | Accessor Environment Element (ACEE) |
|---|---|
| Macro ID: | IHAACEE |
| DSECT name: | ACEE |
| Owning component: | Resource Access Control Facility (SC1BN) |
| Eye-catcher ID: | ACEE (Offset: 0, Length: 4) |
| Storage attributes: |
|
| Size: | 192 bytes (does not include any data pointed to by ACEE) |
| Created by: | RACF or MVS's system authorization facility (SAF), depending on the parameters specified on RACROUTE REQUEST=VERIFY |
| Pointed to by: | A field supplied by the issuer of RACROUTE REQUEST=VERIFY. Or, for MVS only: ASXBSENV or TCBSENV. ACEEs pointed to by ASXBSENV or TCBSENV always reside below 16M. |
| Serialization: | See the notes that follow Function. |
| Function: | Maps the ACEE; represents the authorities of a single accessor in the address space. |
Notes:
- When the ACEECHK class is active, a program that updates an ACEE or user token
field affecting the user's authorization may cause IRR421I messages to be issued by the security
product when the ACEE is checked to determine authorization. IBM recommends that programs do not
directly modify authorization-related fields in the ACEE, but instead use interfaces provided by the
security product to create an ACEE with the required security attributes. In cases where this is not
possible, consider documenting that your program should be added to the exception list in the
ACEECHK class.
- If you use ACEEIEP, it must point to an area of storage you obtained using a GETMAIN from
within the RACINIT post-processing exit (any data obtained by the pre-processing exit will be
ignored, and not freed, when an ACEE is retrieved from the VLF cache). RACF frees this area when it
frees the ACEE. For RACF to do this, the first word of the area must contain the subpool and the
length of the area. The subpool appears in the high-order byte, and the length appears in the next 3
bytes.
If you do not conform to this requirement in your use of ACEEIEP, you must supply a RACINIT pre-processing exit to free the area and set the ACEEIEP field to 0 when a caller issues a RACINIT DELETE. In certain situations, however, your exit is not called during RACF error recovery, and unpredictable results may occur. Therefore, it is strongly recommended that you adhere to the specified requirements.
Examples of nonconforming use of ACEEIEP follow:- ACEEIEP contains data, rather than a pointer.
- ACEEIEP contains a pointer, however the first word of the area pointed to by ACEEIEP does not contain the subpool and length information for the area.
- ACEEIEP contains a pointer, and the first word of the area pointed to contains the subpool and
length information for a data area that points to additional area obtained using GETMAIN.
This situation might not cause an abend, but it results in a failure to free the acquired data area.
If your use of ACEEIEP does not conform to the specified requirements, or if your data area contains any pointers to other data areas, you must provide an ACEE compression/expansion exit. See z/OS Security Server RACF System Programmer's Guide for more information.
The area that ACEEIEP points to is retrieved with the ACEE. Before reusing ACEEIEP, installation code must process any existing area that ACEEIEP points to. A pointer to storage may be lost if installation code stores over ACEEIEP.
When reusing ACEEIEP, the storage for the new data that ACEEIEP points to should be in the same subpool as the ACEE. The ACEESP field of the ACEE contains the subpool of the ACEE. For more information about subpool use, see the z/OS MVS Programming: Assembler Services Guide.
- Within an IMS address space, ACEEAPTR is reserved for use by IMS during IMS initialization and signon.
- Both ACEETRLV and ACEETRDA are 0 if one of the following conditions is met:
- The NODES class is active and a NODES profile of the form submitnode.RUSER.userid exists with a UACC of at least UPDATE.
- The POE's class is not active.
- Neither TERMID nor POE was specified.
- There is no matching profile.
If the level is not specified in the profile, ACEETRLV is 0 even when none of the conditions are met. Similarly, if the DATA is not specified in the profile, ACEETRDA is 0 even when none of the conditions are met.
- Both ACEEAPLV and ACEEAPDA are 0 if one of the following conditions is met:
- The NODES class is active and a NODES profile of the form submitnode.RUSER.userid exists with a UACC of at least UPDATE.
- The APPL class is not active.
- APPL was not specified on the RACROUTE REQUEST=VERIFY.
- No matching profile exists.
If the level is not specified in the APPL profile, ACEEAPLV is 0 even when none of the conditions are met. Similarly, if the DATA is not specified in the profile, ACEEAPDA is 0 even when none of the conditions are met.
- The acronym at offset 0 is changed from "ACEE" to "acee" prior to freeing the ACEE storage.
- If you use ACEE3PTY, you must:
- Do not use ACEE3PTY ACEE as an address-space ACEE (ASXBSENV) or task ACEE (TCBSENV).
- Make sure that the ACEE3PTY ACEE is not deleted while it is being used by RACF.
- The ACEE3PTY must be set to zero, once its value is extracted and before the ACEE which points to the third-party ACEE is deleted and before another 3rd-party RACHECK using that ACEE is performed.
- The deletion of the ACEE3PTY ACEE must be complete while the resource manager is in the proper key. The ACEE3PTY ACEE is obtained from the same subpool as the ACEE in which it is anchored.
ACEE mapping
| Offset Dec |
Offset Hex |
Type | Len | Name(Dim) | Description |
|---|---|---|---|---|---|
| 0 | (0) | STRUCTURE | 192 | ACEE | Accessor environment element |
| 0 | (0) | CHARACTER | 4 | ACEEACEE | Acronym in EBCDIC -ACEE- |
| 4 | (4) | SIGNED | 4 | ACEECORE | ACEE subpool and length |
| 4 | (4) | ADDRESS | 1 | ACEESP | ACEE subpool number |
| 5 | (5) | ADDRESS | 3 | ACEELEN | Length of ACEE |
| 8 | (8) | ADDRESS | 1 | ACEEVRSN | Version = 1. |
| 9 |
(9) |
CHARACTER |
3 |
ACEESBVR |
Reserved for use by security product |
| 12 | (C) | ADDRESS | 4 | ACEEIEP | Reserved for installation. See "Notes" above for information on using the ACEEIEP field. |
| 16 | (10) | ADDRESS | 4 | ACEEINST | User data address: Points to a 1-byte length field followed by the installation data specified in the user profile. The length includes the 1-byte length field. The address is zero if (1) no valid user ID was provided or (2) no data was present in the profile. |
| 20 | (14) | CHARACTER | 9 | ACEEUSER(0) | User ID information |
| 20 | (14) | ADDRESS | 1 | ACEEUSRL | User ID length |
| 21 | (15) | CHARACTER | 8 | ACEEUSRI | Contains the valid RACF user ID unless (1) the user ID on the verify call was '*BYPASS*' for auditable work that bypasses authorization checking, or (2) no user ID was given so the field contains an '*'. |
| 29 | (1D) | CHARACTER | 9 | ACEEGRP(0) | Group name information |
| 29 | (1D) | ADDRESS | 1 | ACEEGRPL | Group name length |
| 30 | (1E) | CHARACTER | 8 | ACEEGRPN | Valid connect group unless ACEEUSRI is "*" or "BYPASS". For these two cases, ACEEGRPN is "*'". |
| 38 | (26) | BITSTRING | 1 | ACEEFLG1 | User flags |
| 1... .... | ACEESPEC | 1 - Special attribute | |||
| .1.. .... | ACEEADSP | 1 - Automatic data security protection | |||
| ..1. .... | ACEEOPER | 1 - Operations attribute | |||
| ...1 .... | ACEEAUDT | 1 - Auditor attribute | |||
| .... 1... | ACEELOGU | 1 - User is to have most RACF functions logged | |||
| .... .1.. | ACEEROA | 1 - Read-only auditor attribute | |||
| .... ..1. | ACEEPRIV | 1 - User is a started procedure with the privileged attribute | |||
| .... ...1 | ACEERACF | 1 - RACF-defined user | |||
| 39 | (27) | BITSTRING | 1 | ACEEFLG2 | Default universal access |
| 1... .... | ACEEALTR | 1 - Alter authority to resource | |||
| .1.. .... | ACEECNTL | 1 - Control authority to resource | |||
| ..1. .... | ACEEUPDT | 1 - Update authority to resource | |||
| ...1 .... | ACEEREAD | 1 - Read authority to resource | |||
| .... 1... | * | Reserved for compatibility | |||
| .... .1.. | * | Reserved | |||
| .... ..1. | * | Reserved | |||
| .... ...1 | ACEENONE | 1 - No authority to resource | |||
| 40 | (28) | BITSTRING | 1 | ACEEFLG3 | Miscellaneous flags |
| 1... .... | ACEEGRPA | Access list of group DS to
contain 0 - User ID or 1 - Group name and user ID
|
|||
| .1.. .... | ACEERASP | 1 - RACF address space | |||
| ..1. .... | ACEECLNT | 1 - Unauthenticated client | |||
| ...1 .... | ACEEACLT | 1 - Authenticated client | |||
| .... 1... | ACEETSKP | 1 - Task level process | |||
| .... .1.. | ACEEIUSP | 1 - INITUSP has been done | |||
| .... ..1. | ACEEDUID | 1 - Default UID being used | |||
| .... ...1 | ACEENPWR | 1 - This is a protected user ID that cannot enter the system with a password | |||
| 41 | (29) | CHARACTER | 3 | ACEEDATE | Date of RACINIT |
| 44 | (2C) | CHARACTER | 8 | ACEEPROC | Name of started procedure or blanks if not started procedure |
| 52 | (34) | ADDRESS | 4 | ACEETRMP | Address that points to the terminal ID. The field is zero for non-terminal users. |
| 56 | (38) | BITSTRING | 2 | ACEEFLG4 | Miscellaneous flags 2 |
| 1... .... | * | Reserved | |||
| .1.. .... | * | Reserved | |||
| ..1. .... | ACEEUATH | 1 - User is authorized to define other users | |||
| ...1 .... | * | Reserved | |||
| .... 1... | ACEEDASD | 1 - User is authorized to protect DASD volumes | |||
| .... .1.. | ACEETAPE | .... .1.. ACEETAPE 1 - User is authorized to protect tape volumes | |||
| .... ..1. | ACEETERM | 1 - User is authorized to protect terminals | |||
| 56 | (38) | BITSTRING | 1 | * | Reserved. |
| 58 | (3A) | ADDRESS | 1 | ACEEAPLV | Application level: Contains the level value from the application profile. |
| 59 | (3B) | ADDRESS | 1 | ACEETRLV | POE level: Contains the level value from the general resource profile that protects the port of entry. |
| 60 | (3C) | ADDRESS | 4 | ACEETRDA | POE data address: Points to a 1-byte length field followed by the installation data from the profile that protects the port of entry. The length includes the 1-byte length field. |
| 64 | (40) | CHARACTER | 8 | ACEETRID | An 8-byte area containing the terminal ID. The name is left-aligned and padded on the right with blanks. This field is blank when (1) termid is not specified and (2) either the POE is not specified or the POE class is not terminal. |
| 72 | (48) | ADDRESS | 4 | ACEEAMP | Address first anchored model. |
| 76 | (4C) | BITSTRING | 4 | ACEECLTH | User class authorizations - these bit positions are mapped by the class descriptor entries anchored off the RACF CVT. |
| 80 | (50) | ADDRESS | 4 | ACEECLCP | Anchor for in-storage profile trees built by the RACLIST function. |
| 84 | (54) | ADDRESS | 4 | ACEEAPTR | Address field reserved for application usage |
| 88 | (58) | CHARACTER | 8 | ACEEAPLN | Name of application to which user is connected, or blanks if no application specified |
| 96 | (60) | ADDRESS | 4 | ACEEAPDA | Application data address: Points to a 1-byte length field followed by the data from the application profile. The length includes the 1-byte length field. |
| 100 | (64) | ADDRESS | 4 | ACEEUNAM | Address of user name string. The first byte is a length field followed by the name string. The length includes the 1-byte length field. |
| 104 | (68) | ADDRESS | 4 | ACEEMDLS | Address of the data set model name array. If array not obtained by RACINIT or RACROUTE |
| 108 | (6C) | ADDRESS | 4 | ACEECGRP | Address of connect group table. |
| 112 | (70) | ADDRESS | 4 | ACEEGATA | Address of the generic anchor table |
| 116 | (74) | ADDRESS | 4 | ACEEFCGP | Address of table containing the list of groups this user ID is a member of. Built by RACINIT and used by FRACHECK, it is not automatically refreshed. |
| 120 | (78) | ADDRESS | 4 | ACEEDSLP | Address of the list of categories to which this user is allowed access |
| 124 | (7C) | CHARACTER | 4 | ACEEDAT4 | 4-byte date field formatted ccyydddF where cc is 00 for years 1971-1999 or 01 for years 2000-2070. |
| 128 | (80) | ADDRESS | 4 | ACEEPADS | Address of the list of data sets accessed by controlled programs executed by this user. |
| 132 | (84) | BITSTRING | 1 | ACEESLVL | Maximum security level accessible by this user |
| 133 | (85) | BITSTRING | 1 | ACEEFLG5 | Miscellaneous flags |
| 1... .... | ACEEMODE | 1 - ACEE mode is in 31-bit mode | |||
| .1.. .... | ACEEVMSK | 0 - If ACEEPLCL is not zero, it points to a 128-bit mask1 - ACEEPLCL points to a 1024-bit mask | |||
| ..1. .... | ACEED4OK | 1 - ACEEDAT4 contains data 0 - ACEEDAT4 not used | |||
| ...1 .... | ACEEXNVR | ENVR object created by another system | |||
| .... 1... | ACEESTOK | 1 - An ACEE was built from a TOKEN with a SERVAUTH port of entry, and the SERVAUTH resource name is no longer available. | |||
| .... .1.. | ACEENSTE | On if nested ENVR object (in ACEENSTA field) should be used in auth check | |||
| .... ..1. | ACEEDALY | 1 - User logged on to an application which only records daily logon statistics | |||
| 134 | (86) | CHARACTER | 1 | ACEEFLG6 | More miscellaneous flags |
| 1... .... | ACEERAUI | Restricted access user ID | |||
| .1.. .... | ACEERUAA | "On" if the RESTRICTED user ID can gain UNIX file access by virtue of the OTHER bits (for example, the user ID has READ access to RESTRICTED.FILESYS.ACCESS in the UNIXPRIV class) | |||
| ...1 .... | ACEERUAV | A check was made to RESTRICTED.FILESYS.ACCESS for this process so the value of ACEERUAA can be used | |||
| .... 1... | ACEEMFAU | User must authenticate with MFA. On when the user has an active MFA factor and MFADEF class is active. | |||
| .... .111 | ACEEMFAA | User authenticated with MFA. | |||
| ..1. .... | * | Reserved | |||
| 135 | (87) | CHARACTER | 1 | * | Reserved |
| 136 | (88) | ADDRESS | 4 | ACEE3PTY | Address of ACEE created by third-party RACHECK SVC processing |
| 140 | (8C) | ADDRESS | 4 | ACEEPLCL | Pointer to extended class authorization mask, or 0 |
| 144 | (90) | CHARACTER | 8 | ACEESUID | Surrogate user ID (AUDIT) |
| 152 | (98) | ADDRESS | 4 | ACEEOCOX | Pointer to O.C.O. extend |
| 156 | (9C) | ADDRESS | 4 | ACEEPTDS | Pointer to first TDS table |
| 160 | (A0) | ADDRESS | 4 | ACEEX5PR | Pointer to X500 name pair structure. Structure contains a 4-byte length of structure, followed by two 2-byte lengths, followed by up to 255 bytes of issuers name and up to 255 bytes of subjects name. Name pair storage is the same subpool and addressing mode as the ACEE. |
| 164 | (A4) | ADDRESS | 4 | ACEETOKP | Pointer to UTOKEN in external format |
| 168 | (A8) | ADDRESS | 4 | ACEESRVA | Address of an area containing a 1-byte length followed by the SERVAUTH resource name. |
| 172 | (AC) | ADDRESS | 4 | ACEESRVP | Address of an area containing a 1-byte length followed by the SERVAUTH profile name that granted access to the SERVAUTH resource. |
| 176 | (B0) | ADDRESS | 4 | ACEENSTA | Address of ENVR object representing the address space which created this ACEE |
| 180 | (B4) | ADDRESS | 4 | ACEEICTX | Address of the identity context extension. |
| 184 | (B8) | ADDRESS | 4 | ACEEIDID | Address of distributed identity data (IDID). |
| 188 | (BC) | CHARACTER | 4 | ACEETIME | ACEE creation time |
ACEE constants
| Len | Type | Value | Name | Description |
|---|---|---|---|---|
| 1 | DECIMAL | 1 | ACEEVR01 | ACEE version number = 1. |
| 1 | DECIMAL | 2 | ACEEVR02 | ACEE version number = 2. |
| 1 | DECIMAL | 3 | ACEEVR03 | ACEE version number = 3. |
| 1 | DECIMAL | 3 | ACEECURV | ACEE version number = 3. |
ACEE cross reference
| Name | Offset | Hex Value |
|---|---|---|
| ACEE | 0 | |
| ACEEACEE | 0 | |
| ACEEACLT | 28 | 10 |
| ACEEADSP | 26 | 40 |
| ACEEALTR | 27 | 80 |
| ACEEAMP | 48 | |
| ACEEAPDA | 60 | |
| ACEEAPLN | 58 | |
| ACEEAPLV | 3A | |
| ACEEAPTR | 54 | |
| ACEEAUDT | 26 | 10 |
| ACEECGRP | 6C | |
| ACEECLCP | 50 | |
| ACEECLNT | 28 | 20 |
| ACEECLTH | 4C | |
| ACEECNTL | 27 | 40 |
| ACEECORE | 4 | |
| ACEEDALY | 85 | |
| ACEEDASD | 38 | 08 |
| ACEEDATE | 29 | |
| ACEEDAT4 | 7C | |
| ACEEDSLP | 78 | |
| ACEEDUID | 28 | 02 |
| ACEED4OK | 85 | 20 |
| ACEEDAT4 | 7C | |
| ACEEFCGP | 74 | |
| ACEEFLG1 | 26 | |
| ACEEFLG2 | 27 | |
| ACEEFLG3 | 28 | |
| ACEEFLG4 | 38 | |
| ACEEFLG5 | 85 | |
| ACEEFLG6 | 86 | |
| ACEEGATA | 70 | |
| ACEEGRP | 1D | |
| ACEEGRPA | 28 | 80 |
| ACEEGRPL | 1D | |
| ACEEGRPN | 1E | |
| ACEEICTX | B4 | |
| ACEEIDID | B8 | |
| ACEEIEP | C | |
| ACEEINST | 10 | |
| ACEEIUSP | 28 | 04 |
| ACEELEN | 5 | |
| ACEELOGU | 26 | 08 |
| ACEEMDLS | 68 | |
| ACEEMFAA | 86 | 08 |
| ACEEMFAU | 86 | 10 |
| ACEEMODE | 85 | 80 |
| ACEENONE | 27 | 01 |
| ACEENPWR | 28 | 01 |
| ACEENSTA | B0 | |
| ACEENSTE | 85 | 04 |
| ACEEOCOX | 98 | |
| ACEEOPER | 26 | 20 |
| ACEEPADS | 80 | |
| ACEEPLCL | 8C | |
| ACEEPRIV | 26 | 02 |
| ACEEPROC | 2C | |
| ACEEPTDS | 9C | |
| ACEERACF | 26 | 01 |
| ACEERASP | 28 | 40 |
| ACEERAUI | 86 | 80 |
| ACEEREAD | 27 | 10 |
| ACEEROA | 26 | 06 |
| ACEERUAA | 86 | 40 |
| ACEERUAV | 86 | 20 |
| ACEESBVR |
9 |
|
| ACEESLVL | 84 | |
| ACEESP | 4 | |
| ACEESPEC | 26 | 80 |
| ACEESRVA | A8 | |
| ACEESRVP | AC | |
| ACEESTOK | 85 | 08 |
| ACEESUID | 90 | |
| ACEETAPE | 38 | 04 |
| ACEETERM | 38 | 02 |
| ACEETIME | BC | |
| ACEETOKP | A4 | |
| ACEETRDA | 3C | |
| ACEETRID | 40 | |
| ACEETRLV | 3B | |
| ACEETRMP | 34 | |
| ACEETSKP | 28 | 08 |
| ACEEUATH | 38 | 20 |
| ACEEUNAM | 64 | |
| ACEEUPDT | 27 | 20 |
| ACEEUSER | 14 | |
| ACEEUSRI | 15 | |
| ACEEUSRL | 14 | |
| ACEEVMSK | 85 | 40 |
| ACEEVRSN | 8 | |
| ACEEXNVR | 85 | |
| ACEEX5PR | A0 | |
| ACEE3PTY | 88 |