z/OS Security Server RACF Macros and Interfaces
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


ICHETEST macro

z/OS Security Server RACF Macros and Interfaces
SA23-2288-00

The ICHETEST macro tests for user-specified conditions on selected data in a RACF® profile. You can use the ICHETEST macro with the ICHEINTY and ICHEACTN macros to ensure that a specific requirement is met before processing of the ICHEINTY or ICHEACTN macro occurs. Failure to meet the requirements specified on the ICHETEST macro causes further processing of the associated ICHEINTY or ICHEACTN macro to be suppressed.

The ICHETEST macro must be issued from a task running in non-cross-memory mode with no locks held. The issuing task must be authorized (APF-authorized, in system key 0-7, or running in supervisor state).

The format of the ICHETEST macro is: 
[label] ICHETEST FIELD=field-name | address
          ,FLDATA=(length,address)
          [,COND=EQ | NE | GT | LT | GE | LE | ONES | ZEROS | MIXED]
          [,ENCRYPT=TEMPLATE | YES | NO]
          [,MF=L | (E,address) | I]
          [,RELEASE=number | (,CHECK) | (number,CHECK)]
FIELD= field-name | address
Specifies the field-name in the RACF profile whose value is to be tested.

If you use the LIST form of the macro, specify the name of the field. The name must be from 1 to 8 characters long, not enclosed in quotes, and defined in the RACF template. In addition, the field cannot be a combination field name (such as ACL in the group profile). Note, however, that a combination field that specifies only one associated field is allowable. Such a combination field is called an alias field such as OWNER in the GROUP profile.

If you use the EXECUTE or INLINE form of the macro, specify the address of the field name to be tested. The address can be an A-type address or register (2 through 12). For EXECUTE and INLINE, you can also specify the field name as a constant (for example, ‘OWNER’).

FLDATA= (length,address)
Specifies the data to be tested against.

The length must be greater than zero and less than or equal to the length of field-name in the FIELD operand, or the test fails. For fixed length fields, you can specify a length that is less than the actual length of the field in the profile. For flag fields, the length specified is ignored and a 1-byte length is assumed. For variable-length fields, if the length is not equal to the field length in the profile, the test fails unless COND=NE is specified. Also, for variable-length fields the field data must not contain a length byte.

COND= EQ | NE | GT | LT | GE | LE | ONES | ZEROS | MIXED
Specifies the relationship that must exist between the FLDATA and FIELD values to satisfy the test. For example, COND=GE specifies that the value of FLDATA must be equal to or greater than the value of FIELD.

EQ, NE, GT, LT, GE, and LE are valid only for fixed length or variable-length fields. They are not valid for flag fields.

ONES, ZEROS, and MIXED are valid only for flag fields.

If you omit this operand, COND=EQ is the default. An explanation of ONES, ZEROS, and MIXED follows:
ONES
If the 1 bits exist in the FIELD value base where the 1 bits exist in the FLDATA value, the test is successful.
ZEROS
If the 0 bits exist in the FIELD value where the 1 bits exist in the FLDATA value, the test is successful.
MIXED
If both 0 bits and 1 bits exist in the FIELD value where 1 bits exist in the FLDATA value, the test is successful.

You can think of this operation as being equivalent to doing a Test-Under-Mask operation. The ICHETEST data would be used as the mask, and the profile field would be used as the data.

ENCRYPT= TEMPLATE | YES | NO
Specifies whether the data specified by FLDATA is to be encoded before the test is performed. If ENCRYPT=YES, the data is encoded regardless of whether the template flag associated with the field specifies that it is to be encoded. If ENCRYPT=NO, RACF does not encode the data regardless of the template flag value. If ENCRYPT=TEMPLATE, the template flag determines whether the data is encoded.

ENCRYPT is ignored if you specify COND as ONES, ZEROS, or MIXED.

MF= L | (E,address) | I
Specifies the form of the macro as either LIST, EXECUTE, or INLINE.

The LIST form reserves and initializes storage. MF=L is the default.

The EXECUTE form modifies a list defined elsewhere. If you use the EXECUTE form, you must specify the address of the list to be modified. The address can be an A-type address or register (2 through 12).

The INLINE form is similar to a STANDARD form, except that it generates code to branch around the parameter list. In the MF=I form, the label names the first location of the parameter list, not the preceding instruction.

RELEASE=number
RELEASE=(,CHECK)
RELEASE=(number,CHECK)
Specifies the release number. The release numbers you can specify with the ICHETEST macro are 7790, 7780, 7770, 7760, 7750, 7740, 7730, 7720, 7709, 7708, 7707, 7706, 7705, 7703, 2608, 2.6, 2.4, 2.3, 2.2, 2.1, 1.9.2, 1.9, 1.8.1, 1.8, or 1.7.
The default is RELEASE=1.7.
Table 1. ICHETEST parameters
Parameter RELEASE=1.7 and earlier RELEASE=1.8 or later
COND= X X
ENCRYPT= X X
FIELD X X
FLDATA X X
MF X X
Some considerations regarding the ICHETEST macros are:
  • You cannot use the ICHETEST macro with an ICHEINTY macro that has the RENAME operation specified.
  • A profile can contain repeat groups. A repeat group consists of one or more sequential fields that can be repeated in the profile. By specifying COND=EQ, you can select the occurrence of the repeat group to which the action applies.

    By specifying COND=NE, you can position yourself past the last occurrence of the repeat group. Then you can add a new occurrence to the end of that repeat group with an ICHEACTN macro.

    Note: When the ICHEACTN macro refers to a repeat group and more than one ICHETEST macro is specified, the last ICHETEST macro serves to position data retrieval from the profile. Therefore, the last ICHETEST should refer to the same repeat group as the last ICHEACTN; otherwise the retrieved data will be from the last tested field. On multiple tests with fields in repeat groups, each test is processed separately, and if all succeed, the tests are considered to have succeeded.
  • Tests involving negative numbers cause unpredictable results.
  • If a specified address equals zero, ICHETEST makes no test.
  • Use only COND=EQ or COND=NE to test masked fields. Other comparisons cause unpredictable results.
  • The expansion of the ICHETEST macro MF=L or MF=I includes at offset 1, a 1-byte field whose value will be X'00' if the test was successful, or X'01' if the test failed. The ICHETEST parameter list must be in modifiable storage.
  • If RELEASE=1.8 or later, the expansion of the ICHETEST macro MF=L or MF=I includes a one byte field at offset 3 whose low-order bit will be set to X'01' if the test failed because FLDACC=YES was specified on the associated ICHEINTY.
  • It is possible to mix 1.7 and 1.8 or later format tests in the same request. The ICHEINTY and ICHEACTN macros can specify either RELEASE=1.7 or RELEASE=1.8 or later.
  • When ICHEINTY LOCATE is used to retrieve data from a profile segment other than the BASE segment, default values (binary zeros for fixed-length fields, lengths of zero for variable length fields) are returned by the manager if the profile could contain but does not contain an occurrence of that segment. If you need to know whether the segment actually exists, specify a TEST for the SEGNAME on the ICHEINTY. For example, when doing a LOCATE to retrieve the TSO segment from a user profile, use TEST as follows: 
        ICHETEST  FIELD=SEGNAME,COND=EQ,FLDATA=(8,CTSO)
    ....
    ....
 CTSO  DC  CL8‘TSO’
Parent topic: ICHEINTY, ICHETEST, and ICHEACTN macros

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014