IBM Security Z Security

I noticed in doing some testing for example if I set up these profiles:

C4R.ALTUSER.=PRECMD.RESUME APPLDATA('ALTUSER &PROFILE(1) WHEN(DAY(ANYDAY) TIME(ANYTIME)) NOREVOKE RESUME')
C4R.ALTUSER.=REPLACE.RESUME

With ADAM in the access list for both profiles and issue an ALTUSER BOB RESUME, this will occur effectively recursively until I hit a GETMAIN error.

Is there any way to basically just process a =PRECMD profile once, or way around this if I want the APPLDATA to contain the same keyword (RESUME) as the original command?

I'm basically trying to just replace the original command and add more keywords instead of generating another command (if possible).

------------------------------
Adam Klinger
------------------------------

Hi Adam,
If you define a pre-command that contains the trigger for the pre-command, then you have effectively coded a recursive loop without stop criterion. I would recommend against doing that.

If you want to retain the original trigger keyword, then just let the main command execute.
Regards, Mike

------------------------------
Mike Riches
------------------------------

Original Message:
Sent: Tue June 16, 2020 08:36 AM
From: Adam Klinger
Subject: zSecure Command Verifier =PRECMD and =REPLACE

I noticed in doing some testing for example if I set up these profiles:

C4R.ALTUSER.=PRECMD.RESUME APPLDATA('ALTUSER &PROFILE(1) WHEN(DAY(ANYDAY) TIME(ANYTIME)) NOREVOKE RESUME')
C4R.ALTUSER.=REPLACE.RESUME

With ADAM in the access list for both profiles and issue an ALTUSER BOB RESUME, this will occur effectively recursively until I hit a GETMAIN error.

Is there any way to basically just process a =PRECMD profile once, or way around this if I want the APPLDATA to contain the same keyword (RESUME) as the original command?

I'm basically trying to just replace the original command and add more keywords instead of generating another command (if possible).

------------------------------
Adam Klinger
------------------------------

Yes, avoiding recursive loops makes perfect sense :)

So in this instance is there any way to make it execute in effectively just one command? Not a big deal as I'm able to get the functionality I want, just would end up being many more RACF commands executed in total

------------------------------
Adam Klinger
------------------------------

Original Message:
Sent: Tue June 16, 2020 11:56 AM
From: Mike Riches
Subject: zSecure Command Verifier =PRECMD and =REPLACE

Hi Adam,
If you define a pre-command that contains the trigger for the pre-command, then you have effectively coded a recursive loop without stop criterion. I would recommend against doing that.

If you want to retain the original trigger keyword, then just let the main command execute.
Regards, Mike

------------------------------
Mike Riches

Original Message:
Sent: Tue June 16, 2020 08:36 AM
From: Adam Klinger
Subject: zSecure Command Verifier =PRECMD and =REPLACE

I noticed in doing some testing for example if I set up these profiles:

C4R.ALTUSER.=PRECMD.RESUME APPLDATA('ALTUSER &PROFILE(1) WHEN(DAY(ANYDAY) TIME(ANYTIME)) NOREVOKE RESUME')
C4R.ALTUSER.=REPLACE.RESUME

With ADAM in the access list for both profiles and issue an ALTUSER BOB RESUME, this will occur effectively recursively until I hit a GETMAIN error.

Is there any way to basically just process a =PRECMD profile once, or way around this if I want the APPLDATA to contain the same keyword (RESUME) as the original command?

I'm basically trying to just replace the original command and add more keywords instead of generating another command (if possible).

------------------------------
Adam Klinger
------------------------------

You could imagine an RFE to prevent obvious recursive calls.  But other than that your recourse is to execute the original ALTUSER RESUME command (delete C4R.ALTUSER.=REPLACE.RESUME) and omit the RESUME keyword from the PRECMD string.

------------------------------
Rob van Hoboken
------------------------------

Original Message:
Sent: Wed June 17, 2020 07:55 AM
From: Adam Klinger
Subject: zSecure Command Verifier =PRECMD and =REPLACE

Yes, avoiding recursive loops makes perfect sense :)

So in this instance is there any way to make it execute in effectively just one command? Not a big deal as I'm able to get the functionality I want, just would end up being many more RACF commands executed in total

------------------------------
Adam Klinger

Original Message:
Sent: Tue June 16, 2020 11:56 AM
From: Mike Riches
Subject: zSecure Command Verifier =PRECMD and =REPLACE

Hi Adam,
If you define a pre-command that contains the trigger for the pre-command, then you have effectively coded a recursive loop without stop criterion. I would recommend against doing that.

If you want to retain the original trigger keyword, then just let the main command execute.
Regards, Mike

------------------------------
Mike Riches

Original Message:
Sent: Tue June 16, 2020 08:36 AM
From: Adam Klinger
Subject: zSecure Command Verifier =PRECMD and =REPLACE

I noticed in doing some testing for example if I set up these profiles:

C4R.ALTUSER.=PRECMD.RESUME APPLDATA('ALTUSER &PROFILE(1) WHEN(DAY(ANYDAY) TIME(ANYTIME)) NOREVOKE RESUME')
C4R.ALTUSER.=REPLACE.RESUME

With ADAM in the access list for both profiles and issue an ALTUSER BOB RESUME, this will occur effectively recursively until I hit a GETMAIN error.

Is there any way to basically just process a =PRECMD profile once, or way around this if I want the APPLDATA to contain the same keyword (RESUME) as the original command?

I'm basically trying to just replace the original command and add more keywords instead of generating another command (if possible).

------------------------------
Adam Klinger
------------------------------