ICHCNX00 processing

The exit must be named ICHCNX00.

It allows an installation to perform additional security checks, to further enhance or restrict the RACF® limitations on the passed commands, or to modify or eliminate the RACF DASD data set naming convention. Because corresponding processing might be required in the RACROUTE REQUEST=DEFINE preprocessing exit and the RACROUTE REQUEST=AUTH preprocessing or postprocessing exits, RACF passes these exits a parameter list with similar structure and content, to allow similar routines to be used.

RACF calls the naming conventions processing routine before ICHCNX00 receives control. See also Data set naming convention table.

This exit must be reentrant.

The exit can have any RMODE, but AMODE should be AMODE(31) or AMODE(ANY) for the best use of virtual storage and best RACF performance.

This exit can run in the RACF subsystem address space, and considerations discussed in Exits running in the RACF subsystem address space apply.

If the exit is invoked for a command that originates from a TSO user, it is invoked in problem state, under protection key 8, in an APF-authorized environment. If the exit is invoked for a directed command, it is invoked in supervisor state, under protection key 0. If the exit is invoked for a command that originates from the operator's console, it is invoked in problem state, under protection key 2, in an APF-authorized environment. If the exit is invoked for a command issued under some other task, the invocation state depends on the attributes of that task.

z/OS Security Server RACF Data Areas contains a mapping of the command-preprocessing exit parameter list, CNXP.

The caller (indicated by the function and subfunction codes pointed to by the fullword at offset 4 in the parameter list) determines which parameters are passed to the exit routine and which parameters can be changed by the exit routine. See Table 1 for a summary of these parameters.

Table 1. ICHCNX00-exit parameter processing
CALLER		OFFSET
		0	4	8	12	16	20	24	28	32	36	40	44
RACROUTE REQUEST= AUTH		P	P	P	C	0	C	0	P	C	0	0	0
RACROUTE REQUEST= DEFINE	DEFINE RENAME ADDVOL DELETE	P P P P	P P P P	P P P P	C C C C	0 C 0 0	C C C C	0 0 C 0	P P P P	C C C C	C C 0 0	0 0 0 0	0 0 0 0
ADDSD	SET NOSET	P P	P P	P P	C C	0 0	P³ P³	0 0	P P	C C	C C	0 0	P P
ALTDSD	SET NOSET	P P	P P	P P	C C	0 0	P³ P³	0 0	P P	C C	0 0	0 0	P P
DELDSD	SET NOSET	P P	P P	P P	C C	0 0	P³ P³	0 0	P P	C C	C C	0 0	P P
LISTDSD	Prelocate DATASET ID or PREFIX	P P p	P P p	P P P	C¹ C C	0 0 0	P P P	0 0 0	P P P	0 C C	0 0 0	0 C C	P P P
PERMIT	TO resource FROM resource	P P	P P	P P	C C	0 0	P³ P⁴	0 0	P P	C C	0 0	0 0	P P
SEARCH	Presearch Postsearch	P P	P P	P P	C² C	0 0	0 P	0 0	P P	0 C	0 0	0 0	P P
IRRUT100		P	P	P	C	0	0	0	P	C	0	0	0
RACROUTE REQUEST= EXTRACT		P	P	P⁵	C	0	C³	0	P	C	P⁵	0	0
P means the field is passed to the exit routine, but should not be changed by the exit routine. C means the field is passed to the exit routine, and can be changed by the exit routine. 0 means the field is not passed to the exit routine, and is indicated as zero. Note: The field is set to the value specified (or defaulted to) on the DATASET, ID, or PREFIX parameter. The field is set to the value specified on the MASK parameter, or to zero length if the NOMASK parameter was specified. The field is nonzero only when the VOLUME parameter was specified. The field is nonzero only when the FVOLUME parameter was specified. The address passed always points to zero.