z/OS Security Server RACF Diagnosis Guide
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Trace example 1

z/OS Security Server RACF Diagnosis Guide
GA32-0886-00

This slip should be used to write a GTF trace record for each program loaded into the environment: 
    SLIP SET,IF,ACTION=TRACE,LPAMOD=(ICHRFR00,xxxxx),J=jobname,
    TRDATA=(STD,REGS,zzzzzz),ML=100,END
xxxxx
The offset into ICHRFR00 where ICHRCP00 starts plus the yyy value defined in Table 1 for your RMID level of the ICHRCP00 CSECT. Run an AMBLIST of ICHRFR00 to determine the offset of the beginning of ICHRCP00 into ICHRFR00.
zzzzz
See Table 1 for the correct TRDATA information based on your RMID level of the ICHRCP00 CSECT. The yyy and zzzzz values specified for UW21213 should be used for all later RMID levels beginning with RACF® 2.2.0, and for the OS/390® Release 3 level of RACF (HRF2230). If you have a later RMID level for RACF 2.1.0, you should use the yyy and zzzzz values specified for UW16891.
jobname
If the program is executed in batch, this is the name of the job that executes the program. If a TSO user executes the job, this is the TSO user ID. In the case of a TSO user ID, you must set the slip before the user logging on to the system.
Table 1. RMID Levels, yyy and zzzzz Values for Example 1
RMID LEVEL yyy zzzzz
UW03221 406 9R?+A0?,+7,9R?+A4?,+2B,9R?+A8?,+5
UW08914 406 9R?+A0?,+7,9R?+A4?,+2B,9R?+A8?,+5
UW16891 BC 9R?+A0?,+7,9R?+A4?,+2B,9R?+A8?,+5
HRF2220 5E 9R?+00?,+7,9R?+04?,+2B,9R?+08?,+5
UW21213 60 9R?+00?,+7,9R?+04?,+2B,9R?+08?,+5
HRF2240 to HRF2608 80 9R?+00?,+7,9R?+04?,+2B,9R?+08?,+5
HRF7703 84 9R?+00?,+7,9R?+04?,+2B,9R?+08?,+5
HRF7707 9C 9R?+00?,+7,9R?+04?,+2B,9R?+08?,+5

Because this slip produces GTF records, you need to start GTF ensuring that you use PARM TRACE=SLIP, then use IPCS to format the data with the GTFTRACE IPCS command.

If the preceding steps have been implemented correctly, 'SLIP S+U' entries are generated in the trace records. Under the 'SLIP S+U' heading, locate the 'General Purpose Register Values' line and obtain the value of R15 for each of the 'SLIP S+U' records in the trace output.

R15 can have 5 possible values:
0
User or group is authorized to resource.
4
Resource is not defined to RACF.
8
User or group is not authorized to resource.
C
Resource is not defined to RACF and library is controlled.
10
User or group is authorized to resource and program has NOPADCHK attribute.

If the value in R15 is 4, 8, or C, a profile in the PROGRAM class must be defined to protect the program identified by this trace entry. In addition to defining the profile in the PROGRAM class, the PERMIT command must be issued to put users or groups in the access list for program's profile. To rebuild the in-storage profile list, issue the SETROPTS WHEN(PROGRAM) REFRESH command after making changes to the PROGRAM class. This allows the changes to take effect immediately. For more information about defining profiles in the PROGRAM class and creating entries in a conditional access list, see z/OS Security Server RACF Security Administrator's Guide.

Note: If the RACF database is being shared with other systems, the SETROPTS REFRESH takes effect only on the system on which it was issued. In this case, the SETROPTS WHEN(PROGRAM) REFRESH must be issued on all the other sharing systems. This allows the PROGRAM class changes to take effect immediately on the other systems as well. An exception occurs when RACF is enabled for sysplex communications.
The information that you need to define the PROGRAM class profile correctly is found in the 'SLIP USR' of the trace record following the 'SLIP S+U' information. If the zzzzz value was set correctly you will see: 
    0008  PROGRAM
    002C  DATASET.NAME
    0006  VOLUME
where:
PROGRAM
Is the actual name of the program being loaded as it is known to RACF.
DATASET.NAME
Is the name of the data set from which the program name was loaded. There are instances where the library name does not show up in the trace.
VOLUME
Is the volume that the data set resides on.
Note: As stated in z/OS Security Server RACF Security Administrator's Guide, if a TSO user has executed a non-controlled program during the current session, and then attempts to access a PADS data set, the attempt fails. The TSO user can in some cases temporarily regain a controlled environment by invoking the controlled program through the TSOEXEC command. See Special consideration when REXX is involved for exceptions to this. When writing a program, you can do the equivalent by invoking the TSO IKJEFTSR service. This technique can prove extremely useful to users who want to have their programs run from the TSO session, but do not want to protect every program that is executed between logon time and execution of the program intended to access the data set.

Also, program AAOEFTB3 might require protection if the MVS/TSO Dynamic Steplib Facility, program number 5798-DZW, is used while attempting to implement program control in the environment created by TSOEXEC. AAOEFTB3 is normally found in SYS1.LINKLIB.

Parent topic: Trace examples

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014