Parameters

Work_area

The name of a 1024-byte work area for SAF and RACF® use. The work area must be in the primary address space.

Ignored

The name of a fullword containing the value 0. The value of 0 is enforced.

SAF_Return_Code

The name of a fullword in which the SAF router returns the SAF return code.

RACF_Return_Code

The name of a fullword in which the service routine stores the return code.

RACF_Reason_Code

The name of a fullword in which the service routine stores the reason code.

Num_Parms

Specifies the name of a 4 byte area which contains the total number of parameters in the parameter list. The contents of this field must be set to binary seventeen.

Function_code

The name of a 4-byte area containing the Function code. The function code has one of the following values:

X'00000001': This function will parse the input and generate commands based on the security definitions specified in the XML. On systems running RACF, RACF commands will be generated and optionally executed. The generated commands, and the results of their optional execution, will be returned in the result_area in XML form.

Options

The name of a 4-byte area containing the Option values. The individual bits in the Option activate the options.

X'00000001' – EXECUTE.: If this bit is ON, the security definitions specified in the Request XML are executed, resulting in updates being made to the RACF database. The executed commands, along with their results are returned in the result_area. If this bit is OFF, the commands are generated and returned without being executed. This allows the caller to examine the commands before executing them. In this case no updates are made to the RACF database. If this bit is OFF, the commands are generated with minimal error checking because the command processor, which does most of the syntax checking, is not executed.
X'00000002' – PRECHECK.: If this bit is ON, IRRSMO00 checks for the existence of security definitions in the RACF database during command generation.
The processing performed on pre-existing security definitions can be customized on a per-security definition basis in the XML using the override="x" attribute. If the override="x" attribute is not specified, add commands are suppressed and alter commands are generated. READ access to IRR.IRRSMO00.PRECHECK in the XFACILIT class is required when specifying this option.
X'00000004' - Terminate on First Error: If bit x'00000004 is ON and option bit x'00000001' is ON (execute) command execution will terminate when the first error is encountered. If bit x'00000004' is off, an attempt is made to execute all update commands, even if some fail. If option X'00000001' (execute) if OFF, this option is ignored. This option is not supported by RACF, but may be supported by other ESMs.
X'00000008' – Suppress sensitive.: If this bit is ON, sensitive data which is specified in the input XML is suppressed from the generated command images returned from R_SecMgtOper. Sensitive data includes passwords, phrases, and other fields which contain sensitive information. The keywords are still intact in the returned command image, only the values are suppressed. When used in conjunction with the EXECUTE option bit, the sensitive data is removed from the commands after the command has executed. If this option is specified without the EXECUTE option, important data will be missing from the generated command images. This option will not suppress sensitive information from error or warning messages issued by commands.

Request_len

Name of a 4 byte area which contains the length of the request. The maximum value of Request_len is 10,000,000.

Request

Name of the storage area which contains the input data in XML form. The XML schema is discussed later. The maximum length of a request is 10,000,000 bytes.

Request_Handle

Name of a 64 byte storage area which must be initialized to binary 0 the first time the service is called. If the return codes indicate that the input was not fully processed because the result_len was too small, the Request_handle will contain a token which enables IRRSMO00 to resume processing the incomplete request.

The Notes® section describes how a caller should handle a results too small condition.

RunsAs_userID

The name of a 9-byte area that consists of a 1-byte length field followed by the userID, which can be up to eight characters. If not specified, the length must equal zero. Otherwise, the user ID must be specified in uppercase. If specified, the commands executed when the X'00000001' option is specified will run under the authority of this user ID.

ACEE

The name of a fullword containing the address of the ACEE of the user under whose identity the RACF administrative request runs if the x'00000001' (execute) option is specified. The user ID is extracted from the ACEEUSER field. The ACEE itself is not used for subsequent authority checking for the request by RACF. If the caller does not specify an ACEE, this area must contain binary zeros. If both an ACEE and a RunAs_userID are passed into this service, the RunAs_userID is used. The ACEE must reside in 31 bit storage. For callers of IRRSMO64, the address of the ACEE is still a 4 byte address. This parameter must be 0 for non-authorized callers.

result_len

The name of a fullword in containing the length of the result buffer in bytes. On return, this is updated to reflect how much data has been stored by the service in result. The minimum result_len is 10000.

result

The name of a preallocated buffer in which the service stores the output data, if applicable. The minimum size of the result buffer is 10000 bytes. The actual size must be reflected in result_len when calling the IRRSMO00 service. The data stored in result is well formed XML. If the return code indicates that result is too short to contain the entire result of the request (as indicated by resultLen on input),truncated data is stored in result. If the result is truncated, it will be truncated at an XML ending tag </tag> or <tag …/>, not in the middle of data.