R_Admin supports three different types of functions:
- run-command, which is executed in the RACF address space
- update, where the input is converted to a command, and executed in the RACF address space
- extract, where the input is converted to a "racroute extract" and executed in the user's address space.
Command Verifier is only involved with commands, and not anywhere else. So, if you were using run-command or profile updates, the =AUDITOR policy applies. If you are using EXTRACT functions through IRRXUTIL, then Command Verifier is not involved (and thus it can't do anything regarding authorizations).
------------------------------
Guus Bonnes
------------------------------
Original Message:
Sent: Thu September 10, 2020 08:46 AM
From: Adam Klinger
Subject: Command Verifier -- r_admin Authorization?
Greetings,
We are looking to see if Command Verifier profiles such as C4R.LISTUSER.=AUDITOR can be used for r_admin extract function authorization, such as issuing:
myrc=IRRXUTIL("EXTRACT","USER","BOBSID","USR")
Instead of needing a RACF attribute such as ROAUDIT / AUDITOR / SPECIAL, Group AUDITOR CONNECT in the related tree, etc.. Is this a possibility?
I haven't been able to get this to work, but from what I recall this is may be due to how the r_admin callable service processes authorization (yes, the FACILITY class IRR.RADMIN.** authorization is in place).
------------------------------
Adam Klinger
------------------------------