IBM Security Z Security

 View Only
  • 1.  Command Verifier -- r_admin Authorization?

    Posted Thu September 10, 2020 08:46 AM
    Edited by Adam Klinger Thu September 10, 2020 08:47 AM

    Greetings,

    We are looking to see if Command Verifier profiles such as C4R.LISTUSER.=AUDITOR can be used for r_admin extract function authorization, such as issuing:

    myrc=IRRXUTIL("EXTRACT","USER","BOBSID","USR")


    Instead of needing a RACF attribute such as ROAUDIT / AUDITOR / SPECIAL, Group AUDITOR CONNECT in the related tree, etc.. Is this a possibility?

    I haven't been able to get this to work, but from what I recall this is may be due to how the r_admin callable service processes authorization (yes, the FACILITY class IRR.RADMIN.** authorization is in place).

     



    ------------------------------
    Adam Klinger
    ------------------------------


  • 2.  RE: Command Verifier -- r_admin Authorization?

    Posted Fri September 11, 2020 03:25 AM

    R_Admin supports three different types of functions:
    - run-command, which is executed in the RACF address space
    - update, where the input is converted to a command, and executed in the RACF address space
    - extract, where the input is converted to a "racroute extract" and executed in the user's address space.
    Command Verifier is only involved with commands, and not anywhere else. So, if you were using run-command or profile updates, the =AUDITOR policy applies. If you are using EXTRACT functions through IRRXUTIL, then Command Verifier is not involved (and thus it can't do anything regarding authorizations).



    ------------------------------
    Guus Bonnes
    ------------------------------



  • 3.  RE: Command Verifier -- r_admin Authorization?

    Posted Fri September 11, 2020 08:04 AM
    Thanks Guus, you confirmed my thinking in that Command Verifier wouldn't be involved in the EXTRACT function of IRRXUTIL

    ------------------------------
    Adam Klinger
    ------------------------------



  • 4.  RE: Command Verifier -- r_admin Authorization?

    IBM Champion
    Posted Fri September 11, 2020 04:48 AM
    Edited by Rob van Hoboken Fri September 11, 2020 04:48 AM
    Am I correct in understanding that you need a flavor of ROAUDIT that allows you to LIST profiles, but without the ability to read UNIX file information and other ROAUDIT functions?  That suggests an RFE to RACF for one of these options:
    • extend the concept of IRR.LISTUSER into IRR.LISTGRP, IRR.LISTDS, IRR.LISTRES, and test this in the R_admin extract API, or
    • extend the concept of IRR.RADMIN.**, adding a scoping control similar to the one in IRR.LISTUSER, or
    • split up the ROAUDIT attribute into a pure LIST profiles function called, e.g., ROSPECIAL.


    ------------------------------
    Rob van Hoboken
    ------------------------------