Alternative for XML-service USERSEC

Peter Webb
Moderator
8 replies
Forum|Forum|11 months ago
November 20, 2024

Hello,

we use the USERSEC XML to check the CMN authorizations 'online' (during execution of rexx-programs). Only this XML service is not allowed to be used.

Would it be possible to provide a alternative for this XML-service so we are able to check the CMN-rights of users in our processes.

As I'm not an expert in Rexx-programs (nor assembler programs) : Is it possible to call this assembler exit SERLCSEC also from rexx and pass the same arguments as in USERSEC
user / entity / resourceClass / access ?

If possible ... can you give an example on how to call ?

Kind Regards

------------------------------
Wim Priem
Kbc Groupe
Brussel BE
------------------------------

Hi Wim,

There are security concerns about giving users the ability to view the security access of other users. This should not be an issue for batch jobs submitted by the ZMF started task under it's authority because those jobs are built from controlled libraries. If I understand correctly, your need is for security checking for the current user in their TSO/ISPF session. If that is not the case, please let me know.

If checking for the current user in their TSO/ISPF session, or in a batch job submitted by the user (not by the ZMG STC), then the following REXX sample code can be used to do security checks using program SERLCSEC. SERLCSEC must be in a load library allocated to the TSO session via logon procedure, TSOLIB or other tasklib dynamic allocation.

/* REXX TEST - Call SERLCSEC */

parse upper arg class prof access .

class = left(class,8) /* Class e.g. $CHGMAN */

prof = left(prof,44) /* Profile e.g. CMNLCADM */

access = left(access,8) /* Access e.g. UPDATE */

parm1 = 'CHECK '

parm2 = x2c('00')

say "Class/Prof/Access/="class"/"prof"/"access"/"

ADDRESS LINKPGM "SERLCSEC PARM1 PARM2 PROF CLASS ACCESS"

say "Return code =" rc

return 0

We are also discussing the possibility of providing modified USERSEC XML services that are limited to checking only the current user when run under a user's authority.

------------------------------
Peter Webb
Rocket Forum Shared Account
------------------------------

Wim Priem
Author
New Participant
4 replies
Forum|Forum|11 months ago
December 3, 2024

Hi Wim,

There are security concerns about giving users the ability to view the security access of other users. This should not be an issue for batch jobs submitted by the ZMF started task under it's authority because those jobs are built from controlled libraries. If I understand correctly, your need is for security checking for the current user in their TSO/ISPF session. If that is not the case, please let me know.

If checking for the current user in their TSO/ISPF session, or in a batch job submitted by the user (not by the ZMG STC), then the following REXX sample code can be used to do security checks using program SERLCSEC. SERLCSEC must be in a load library allocated to the TSO session via logon procedure, TSOLIB or other tasklib dynamic allocation.

/* REXX TEST - Call SERLCSEC */

parse upper arg class prof access .

class = left(class,8) /* Class e.g. $CHGMAN */

prof = left(prof,44) /* Profile e.g. CMNLCADM */

access = left(access,8) /* Access e.g. UPDATE */

parm1 = 'CHECK '

parm2 = x2c('00')

say "Class/Prof/Access/="class"/"prof"/"access"/"

ADDRESS LINKPGM "SERLCSEC PARM1 PARM2 PROF CLASS ACCESS"

say "Return code =" rc

return 0

We are also discussing the possibility of providing modified USERSEC XML services that are limited to checking only the current user when run under a user's authority.

------------------------------
Peter Webb
Rocket Forum Shared Account
------------------------------

Hi Peter,

thx for this reply ....

What if .... I want to check for a dedicated user ?

Is there any alternative then ?

Kind regards,
Priem Wim

------------------------------
Wim Priem
Kbc Groupe
Brussel BE
------------------------------

P

Peter Webb
Moderator
8 replies
Forum|Forum|11 months ago
December 3, 2024

Hi Peter,

thx for this reply ....

What if .... I want to check for a dedicated user ?

Is there any alternative then ?

Kind regards,
Priem Wim

------------------------------
Wim Priem
Kbc Groupe
Brussel BE
------------------------------

Hi Wim,

We don't provide the ability to do 3rd party security checks to users for security reasons. If you can provide a use case, perhaps there is a solution that does not require doing a 3rd party security check.

------------------------------
Peter Webb
Rocket Forum Shared Account
------------------------------

Wim Priem
Author
New Participant
4 replies
Forum|Forum|11 months ago
December 9, 2024

Hi Wim,

We don't provide the ability to do 3rd party security checks to users for security reasons. If you can provide a use case, perhaps there is a solution that does not require doing a 3rd party security check.

------------------------------
Peter Webb
Rocket Forum Shared Account
------------------------------

Hi Peter,

I did some testing with calling SERLCSEC via coding you gave ...
I'm not 100% sure but I think by default it's checking the userid of started task (because the rexx is call in HLLX-exit) because the result I receive is not correct (I expect 08 but receive 00).

I do read however in SERLCSEC itself ....

Parameter list: +00 Address of security function
CHECK - User authorization checking
VERIFY - User authentication
DELETE - Delete ACEE
USERTYPE - Query if userid is started task
SAFAUTH - Return SAF resource and class
XMLAUTH - Return XML resource and class
+04 Local security option flags mapped as follows:
1... .... Suppress logging security violation
.1.. .... Check password (SAF only)
..1. .... Started task user ID
...1 .... Change password (SAF only)
.... 1... Specific userID checked, not STC
.... .1.. Suppress WTOs
.... ..1. If on, passphrase was provided
If off, password was provided
.... ...1 MFA repeated logon

I assume that i should change parm2 = x2c('00')   into something else if i want to check Specific userID checked, not STC ....

How can this be achieved ?

Kind Regards
Wim

------------------------------
Wim Priem
Kbc Groupe
Brussel BE
------------------------------

P

Peter Webb
Moderator
8 replies
Forum|Forum|11 months ago
December 9, 2024

Hi Peter,

I did some testing with calling SERLCSEC via coding you gave ...
I'm not 100% sure but I think by default it's checking the userid of started task (because the rexx is call in HLLX-exit) because the result I receive is not correct (I expect 08 but receive 00).

I do read however in SERLCSEC itself ....

Parameter list: +00 Address of security function
CHECK - User authorization checking
VERIFY - User authentication
DELETE - Delete ACEE
USERTYPE - Query if userid is started task
SAFAUTH - Return SAF resource and class
XMLAUTH - Return XML resource and class
+04 Local security option flags mapped as follows:
1... .... Suppress logging security violation
.1.. .... Check password (SAF only)
..1. .... Started task user ID
...1 .... Change password (SAF only)
.... 1... Specific userID checked, not STC
.... .1.. Suppress WTOs
.... ..1. If on, passphrase was provided
If off, password was provided
.... ...1 MFA repeated logon

I assume that i should change parm2 = x2c('00')   into something else if i want to check Specific userID checked, not STC ....

How can this be achieved ?

Kind Regards
Wim

------------------------------
Wim Priem
Kbc Groupe
Brussel BE
------------------------------

Hi Wim,

I thought we were dealing with a user's TSO/ISPF session, which runs the user's authority. HLL exits running in the HLL exit started task. The environment is different and allows the following. Note the change in parm2 and the addition of the USER parameter. It is important for security reasons that the REXX library (or libraries) allocated to ddname HLLXREXX be secured so that user do not have UPDATE access to it.

class = '$CHGMAN'
prof = 'CMNLCADM'
access = 'UPDATE'
user = userid
class = left(class,8) /* Class e.g. $CHGMAN */
prof = left(prof,44) /* Profile e.g. CMNLCADM */
access = left(access,8) /* Access e.g. UPDATE */

parm1 = 'CHECK '
parm2 = x2c('88') /* Suppress logging. Specific user ID */

say "Class/Prof/Access/="class"/"prof"/"access"/"user"/"

ADDRESS LINKPGM "SERLCSEC PARM1 PARM2 PROF CLASS ACCESS USER"

say "Return code =" rc

------------------------------
Peter Webb
Rocket Forum Shared Account
------------------------------

Wim Priem
Author
New Participant
4 replies
Forum|Forum|11 months ago
December 10, 2024

Hi Wim,

I thought we were dealing with a user's TSO/ISPF session, which runs the user's authority. HLL exits running in the HLL exit started task. The environment is different and allows the following. Note the change in parm2 and the addition of the USER parameter. It is important for security reasons that the REXX library (or libraries) allocated to ddname HLLXREXX be secured so that user do not have UPDATE access to it.

class = '$CHGMAN'
prof = 'CMNLCADM'
access = 'UPDATE'
user = userid
class = left(class,8) /* Class e.g. $CHGMAN */
prof = left(prof,44) /* Profile e.g. CMNLCADM */
access = left(access,8) /* Access e.g. UPDATE */

parm1 = 'CHECK '
parm2 = x2c('88') /* Suppress logging. Specific user ID */

say "Class/Prof/Access/="class"/"prof"/"access"/"user"/"

ADDRESS LINKPGM "SERLCSEC PARM1 PARM2 PROF CLASS ACCESS USER"

say "Return code =" rc

------------------------------
Peter Webb
Rocket Forum Shared Account
------------------------------

Hi Peter,

first of all thx for the replay and all the help.

Can you please elobarte more why you last code will/can not work under TSO/ISPF environment or do I understand this wrongly ?

Because I want to able to check the authorizations of users in both environments
(HLLX = under started task and no TSO environment available and REXX TSO-environment).

Many thx in advance !

Kind regards
Wim

------------------------------
Wim Priem
Kbc Groupe
Brussel BE
------------------------------

Wim Priem
Author
New Participant
4 replies
Forum|Forum|11 months ago
December 10, 2024

Hi Peter,

first of all thx for the replay and all the help.

Can you please elobarte more why you last code will/can not work under TSO/ISPF environment or do I understand this wrongly ?

Because I want to able to check the authorizations of users in both environments
(HLLX = under started task and no TSO environment available and REXX TSO-environment).

Many thx in advance !

Kind regards
Wim

------------------------------
Wim Priem
Kbc Groupe
Brussel BE
------------------------------

Hi Peter,

meanwhile I did some test with the changed code .... but still I don't receive the correct result via SERLCSEC ...

for the testcase that 'fails' :
parm2 = x2c('88') however the user has authorization of admin I receive rc 08 ....

SILCSEC stared
Class/Prof/Access/user : $CCMNTST/CMNYGBAD /UPDATE /U78048
RC 8
SILCSEC ended

using XML ENVIRON,SERVICE,LIST and checking hasAdminAccess I receive Y as value.

any idea which log I coud check to figure out what's going wrong ?

Regards,

Wim

------------------------------
Wim Priem
Kbc Groupe
Brussel BE
------------------------------

P

Peter Webb
Moderator
8 replies
Forum|Forum|11 months ago
December 10, 2024

Hi Peter,

meanwhile I did some test with the changed code .... but still I don't receive the correct result via SERLCSEC ...

for the testcase that 'fails' :
parm2 = x2c('88') however the user has authorization of admin I receive rc 08 ....

SILCSEC stared
Class/Prof/Access/user : $CCMNTST/CMNYGBAD /UPDATE /U78048
RC 8
SILCSEC ended

using XML ENVIRON,SERVICE,LIST and checking hasAdminAccess I receive Y as value.

any idea which log I coud check to figure out what's going wrong ?

Regards,

Wim

------------------------------
Wim Priem
Kbc Groupe
Brussel BE
------------------------------

Hi Wim,

The reason the last code will not work in a TSO/ISPF environment is because it is not an authorized environment. The security system prohibits specifying the USERID parameter on a RACROUTE authorization request. If I specify either USERID= (3rd party check) or LOG=NONE (suppress logging), RACF fails the request with a 282-10 abend. The RACF Messages and Codes states for 282-10 "APF authorization, or system key 0-7, or supervisor state required for CSA, LOG, PRIVATE, PROFILE, ACEE, UTOKEN, USERID, or GROUPID option". This intentionally prevents TSO/ISPF users from directly obtaining 3rd party security information. The ZMF and HLL exit started tasks run authorized, which is why their execution libraries must be protected from direct update access by users.

usersec.service.list XML reply <hasAdminAccess> is application administration authority. The security entity for that in ZMF subsystem L is CMNYLCAD. If that entity is not defined and PROTECTALL is not in effect, then UPDATE access to entity CMNLCADM is checked.

For global administration access XML tag <hasGlobalAccess>, the entity names are CMNYGBAD and CMNGBADM.

------------------------------
Peter Webb
Rocket Forum Shared Account
------------------------------

Johan Jacob
Participating Frequently
39 replies
Forum|Forum|9 months ago
February 12, 2025

Hello,

we use the USERSEC XML to check the CMN authorizations 'online' (during execution of rexx-programs). Only this XML service is not allowed to be used.

Would it be possible to provide a alternative for this XML-service so we are able to check the CMN-rights of users in our processes.

As I'm not an expert in Rexx-programs (nor assembler programs) : Is it possible to call this assembler exit SERLCSEC also from rexx and pass the same arguments as in USERSEC
user / entity / resourceClass / access ?

If possible ... can you give an example on how to call ?

Kind Regards

------------------------------
Wim Priem
Kbc Groupe
Brussel BE
------------------------------

Hello Wim,
Maybe I don't fully grasp the issue, but at our site we gave all CMN users the authority to the SERXMLRC RACF ressource, giving the the ability to run the XML services from REXX. We are also checking ones accesses at execution time
Always happy to elaborate on the subject
Kind regards
Johan Jacob

PS: Don't hesitate to contact me directly, there are plenty of KBC colleagues that know me (johan.jacob@euroclear.com)

------------------------------
Johan Jacob
Euroclear
Brussels BE
------------------------------

Sign up

Please log in or register:

Welcome to the Rocket Forum!

Please log in or register:

Scanning file for viruses.

This file cannot be downloaded