Previous topic |
Next topic |
Contents |
Contact z/OS |
Library |
PDF
Postprocessing exits (ICHRFX02 and ICHRFX04) z/OS Security Server RACF System Programmer's Guide SA23-2287-00 |
|||||||||
There are two RACROUTE REQUEST=FASTAUTH postprocessing exits: ICHRFX02 and ICHRFX04. Figure 1 shows the logic that RACF® uses to determine which exit to call. Note: For a nested ACEE, although two authorization checks might be
internally driven, ICHRFX04 is only called once, after both checks
have completed. It does not matter whether the nested ACEE is processed;
for example, if the client is authorized or the resource is not delegated,
ICHRFX04 is still called. For information about nested ACEEs, see
the section on delegated resources in z/OS Security Server RACF Security Administrator's Guide.
Figure 1. Logic that determines
whether ICHRFX02 or ICHRFX04 is called
The sequence of pre- and post- processing exit invocation, FASTAUTH authorization processing, and auditing (when FASTAUTH performs auditing due to LOG=ASIS or LOG=NOFAIL), is:
Default return code processing occurs prior to auditing. If the profile was not found and the postprocessing exit did not change the return code, FASTAUTH uses the default return code from the class descriptor table (CDT). The default return code, if used, is reflected in the auditing done by FASTAUTH. |
Copyright IBM Corporation 1990, 2014
|