Here is the sample transaction security authorization installation
exit, CBRUXSAE:
UXSAE TITLE 'CBRUXSAE - SAMPLE OSREQ TX AUTH INSTALLATION EXIT'
CBRUXSAE START 0 SAMPLE OSREQ TX AUTH INST EXIT
SPACE 2
**** START OF SPECIFICATIONS *****************************************
* *
* MODULE NAME: CBRUXSAE *
* *
* DESCRIPTIVE NAME: SAMPLE OSREQ TRANSACTION SECURITY *
* AUTHORIZATION INSTALLATION EXIT *
* *
* PROPRIETARY V3 STATEMENT *
* LICENSED MATERIALS - PROPERTY OF IBM *
* 5694-A01 *
* Copyright IBM Corp. 1996, 2009 *
* END PROPRIETARY V3 STATEMENT *
* *
* Function: *
* Module CBRUXSAE is invoked each time a request is made to *
* OAM via the OSREQ interface. CBRUXSAE may refuse to allow *
* the user to perform the requested transaction by returning *
* an appropriate return code in register 15 (described in *
* the OUTPUT section below). *
* *
* Starting with z/OS V1R11, more granular return codes have *
* been implemented to allow bypassing the exit for each of the *
* individual OSREQ functions in addition to the ability to *
* restrict STOREs to existing collections only. *
* The additional return codes enable an installation to bypass *
* the exit for any combination of functions. For example, the *
* exit can be bypassed for OSREQ QUERY and RETRIEVE requests *
* but active for OSREQ STORE, and DELETE requests. *
* *
************************** !!! WARNING !!! ****************************
* WARNING: Prior to z/OS V1R11, ANY non-zero return code (except *
* RC 16 for BYPASS) meant "authorization failed". Starting with *
* z/OS V1R11, return codes 253, 254, and 255 have new meaning *
* as described in the OUTPUT section below. If you used 253, *
* 254, or 255 in a pre-V1R11 version of CBRUXSAE, please review *
* the new meanings and modify your exit appropriately. *
************************** !!! WARNING !!! ****************************
* THE INSTALLATION CAN PERFORM AUTHORIZATION CHECKING BY ANY *
* MEANS IT DEEMS REASONABLE. FOR EXAMPLE: *
* 1. INVOKE RACF VIA THE SAF RACROUTE MACRO *
* 2. USE A TABLE-DRIVEN METHOD OF AUTHORIZATION CHECKING, *
* USING A DATASET OF USERIDS AND THE COLLECTIONS/OBJECTS *
* A USER IS AUTHORIZED TO PERFORM FUNCTIONS AGAINST. *
* THE AUTHORIZATION CHECKING MAY BE AT THE GRANULARITY THAT *
* THE INSTALLATION DECIDES IS NECESSARY, USING THE VALUES *
* PASSED IN TO THIS EXIT. *
* *
* NOTES: *
* THIS SAMPLE RETURNS WITH A RETURN CODE OF 0, TELLING OAM *
* TO CONTINUE PROCESSING. *
* *
* DEPENDENCIES: MVS/SP VERSION 4.3.0 *
* DFSMS/MVS 1.2.0 *
* *
* CHARACTER CODE: EBCDIC *
* *
* RESTRICTIONS: NONE *
* *
* REGISTER CONVENTIONS: *
* R0 - UNPREDICTABLE *
* R1 - STANDARD LINKAGE REGISTER *
* R2 - UNPREDICTABLE *
* R3 - UNPREDICTABLE *
* R4 - UNPREDICTABLE *
* R5 - UNPREDICTABLE *
* R6 - UNPREDICTABLE *
* R7 - UNPREDICTABLE *
* R8 - UNPREDICTABLE *
* R9 - ADDRESS OF AUTODATA AREA FOR EXIT *
* R10 - UNPREDICTABLE *
* R11 - INPUT BASE REGISTER *
* R12 - CBRUXSAE BASE REGISTER *
* R13 - STANDARD LINKAGE REGISTER *
* - SAVE AREA ADDRESS *
* R14 - STANDARD LINKAGE REGISTER *
* - RETURN POINT ADDRESS *
* R15 - STANDARD LINKAGE REGISTER *
* - ENTRY POINT ADDRESS *
* - RETURN CODE *
*
* MODULE TYPE: CONTROL SECTION *
* *
* PROCESSOR: ASSEMBLER H *
* *
* ATTRIBUTES: *
* *
* LOCATION: LINKLIB *
* STATE: PROBLEM OR SUPERVISOR (CALLER) *
* AMODE: 31 *
* RMODE: ANY *
* KEY: KEY OF CALLER *
* MODE: TASK *
* SERIALIZATION: UNLOCKED *
* TYPE: REENTRANT, REUSABLE, REFRESHABLE *
* AUTHORIZATION: NONE *
* *
* LINKAGE: STANDARD LINKAGE CONVENTIONS *
* *
* CALLING SEQUENCE: *
* CBRUXSAE IS INVOKED IN THE USER'S ADDRESS SPACE USING THE *
* MVS LINK MACRO *
* *
* *
* INPUT: *
* REGISTER 1 WILL CONTAIN THE ADDRESS OF A PARAMETER LIST *
* WHICH WILL CONTAIN 4 POINTERS: *
* 1. POINTER TO 8 CHARACTER FIELD WHICH CONTAINS THE *
* OSREQ FUNCTION BEING PERFORMED *
* POSSIBLE FUNCTIONS ARE: STORE *
* RETRIEVE *
* CHANGE *
* QUERY *
* DELETE *
* 2. POINTER TO 44 CHARACTER FIELD WHICH CONTAINS THE *
* OBJECT NAME ASSOCIATED WITH THE REQUESTED FUNCTION *
* 3. POINTER TO 44 CHARACTER FIELD WHICH CONTAINS THE *
* COLLECTION NAME ASSOCIATED WITH THE REQUESTED FUNCTION *
* 4. POINTER TO 8 CHARACTER FIELD WHICH CONTAINS THE *
* USERID ASSOCIATED WITH THE REQUESTED FUNCTION *
* REGISTER 9 WILL CONTAIN THE ADDRESS OF A 1024 BYTE AREA OF *
* STORAGE WHICH CAN BE USED AS THIS PROGRAM'S AUTOMATIC STORAGE*
* *
* OUTPUT: *
* A RETURN CODE IS PLACED IN REGISTER 15: *
* Return *
* Code Description *
* ------ ------------------------------------------------------------*
* 0 AUTHORIZED *
* User is authorized to perform this function. The exit will *
* continue to be called for all normally called OSREQ *
* functions: *
* STORE, RETRIEVE, QUERY, CHANGE, DELETE, and STORE BEGIN. *
* *
* 16 BYPASSED *
* The current user and all future users are authorized. Exit *
* will now be BYPASSED (not called again for any function). *
* *
* 224-252 RESERVED (Not Authorized) @L1A*
* Reserved for IBM. It is recommended that installations do *
* not use return code values in this range because their *
* meaning could change in the future. However, they are *
* currently interpreted as: *
* User is not authorized to perform this function. No change *
* is made to the BYPASS status of any OSREQ function. *
* *
* 253 STORE RESTRICTED (No Bypass) @L1A*
* Store to existing collection only. *
* - For STORE (and STORE BEGIN) function: User is authorized *
* to store into an existing collection only. Attempts to *
* store into a collection that does not exist will fail. *
* - All other OSREQ functions: NOT Authorized. *
* *
* This is valid for the current invocation only. No change *
* is made to the BYPASS status of any OSREQ function. *
* *
* 254 BYPASS CURRENT FUNCTION (IF STORE, RESTRICTED) @L1A*
* Current and future users are authorized to perform the *
* current function. The exit will be BYPASSED (not called *
* again) for the current function. If the current function *
* is a STORE (or STORE BEGIN) then this exit will be bypassed *
* for subsequent STORE requests. This STORE request and *
* subsequent STORE requests will be allowed into existing *
* collections only. Attempts to store into a collection that *
* does not exist will fail. *
* Note: If an administrator needs to create a new collection *
* after this has been set, he'll have to first reset the exit *
* via the LIBRARY RESET,CBRUXSAE operator command. *
* *
* For all other OSREQ FUNCTIONS, this exit will be bypassed *
* (Authorized) for that particular function. For example, if *
* current function is RETRIEVE, then this RETRIEVE request *
* and all subsequent RETRIEVE requests will be allowed. The *
* same applies for QUERY, CHANGE, and DELETE. *
* *
* 255 BYPASS CURRENT FUNCTION (IF STORE, NOT RESTRICTED) @L1A*
* Current and future users are authorized to perform the *
* current function. The exit will be BYPASSED (not called *
* again) for the current function. If the current function *
* is a STORE (or STORE BEGIN) then this exit will be bypassed *
* for subsequent STORE requests. This STORE request and *
* subsequent STORE requests will be allowed to store to both *
* new and existing collections. *
* *
* For all other OSREQ FUNCTIONS, this exit will be bypassed *
* (Authorized) for that particular function. For example, if *
* current function is RETRIEVE, then this RETRIEVE request *
* and all subsequent RETRIEVE requests will be allowed. The *
* same applies for QUERY, CHANGE, and DELETE. *
* Note: Return codes 254 and 255 have the same meaning for *
* all functions except the store functions (STORE and STORE *
* BEGIN). *
* *
* Any *
* other *
* non- *
* zero User is not authorized to perform this function. @L1A*
* *
* EXIT NORMAL: *
* RETURN TO THE CALLER WITH RETURN CODE 0 OR NON-ZERO *
* RETURN CODE, INDICATING AUTHORIZATION FAILURE *
* *
* EXIT ERROR: NONE *
* *
* EXTERNAL REFERENCES: *
* *
* ROUTINES: NONE *
* *
* CONTROL BLOCKS: NONE *
* *
* EXECUTABLE MACROS: *
* RETURN *
* SAVE *
* *
* MESSAGES: NONE *
* *
* ABEND CODES: NONE *
* *
* CHANGE ACTIVITY: *
* *
* $L0=OW20657 1B0 950501 TUCLJT: Initial release *
* *
* $01=OW36250 1E0 990104 TUCLJT: Change default to return a @01A*
* RC=16 to indicate that the @01A*
* exit is not used, therefore @01A*
* should not be invoked again @01A*
* (Roll up of OW35784 1C0, 1D0)@01A*
* $L1=OAMR1B R11 080523 TUCTMD: OAMR1B CBRUXSAE Enhancement @L1A*
* Add new return codes for @L1A*
* STORE to existing Collection @L1A*
* only, and BYPASS individual @L1A*
* OSREQ Functions @L1A*
* *
**** END OF SPECIFICATIONS ********************************************
TITLE 'CBRUXSAE INPUT PARAMETERS'
*---------------------------------------------------------------------*
* *
* MODULE INPUT PARAMETER DEFINITIONS *
* *
*---------------------------------------------------------------------*
UXSAEINP DSECT ,
FUNC_PTR DS 1F ADDRESS OF FUNCTION
OBJN_PTR DS 1F ADDRESS OF OBJECT NAME
COLN_PTR DS 1F ADDRESS OF COLLECTION NAME
USER_PTR DS 1F ADDRESS OF USERID
SAVE DS CL72 SAVE AREA
DATDPTR DS 1F AUTO DATA AREA ADDRESS
SPACE 2
TITLE 'CBRUXSAE WORKING STORAGE'
*---------------------------------------------------------------------*
* *
* MODULE AUTO DATA AREA DEFINITIONS *
* *
*---------------------------------------------------------------------*
WORKAREA DSECT , CBRUXSAE AUTO DATA AREA
SAVEAREA DS 18F SAVE AREA
DS CL440 AVAILABLE STORAGE
WORKLEN EQU *-WORKAREA
SPACE 2
TITLE 'STANDARD REGISTER DEFINITIONS'
*---------------------------------------------------------------------*
* *
* STANDARD REGISTER DEFINITIONS *
* *
*---------------------------------------------------------------------*
R0 EQU 0 GENERAL REGISTER 0
R1 EQU 1 GENERAL REGISTER 1
R2 EQU 2 GENERAL REGISTER 2
R3 EQU 3 GENERAL REGISTER 3
R4 EQU 4 GENERAL REGISTER 4
R5 EQU 5 GENERAL REGISTER 5
R6 EQU 6 GENERAL REGISTER 6
R7 EQU 7 GENERAL REGISTER 7
R8 EQU 8 GENERAL REGISTER 8
R9 EQU 9 GENERAL REGISTER 9
R10 EQU 10 GENERAL REGISTER 10
R11 EQU 11 GENERAL REGISTER 11
R12 EQU 12 GENERAL REGISTER 12
R13 EQU 13 GENERAL REGISTER 13
R14 EQU 14 GENERAL REGISTER 14
R15 EQU 15 GENERAL REGISTER 15
*---------------------------------------------------------------------*
* MISCELLANEOUS CONSTANT VALUES *
*---------------------------------------------------------------------*
UXSAEDIS EQU 16 RC=16 TELLS OSR TO DISABLE @01A
* FURTHER CALLS TO THIS SECURITY @01A
* AUTHORIZATION EXIT AND HANDLE @01A
* SUBSEQUENT INVOCATIONS AS @01A
* AUTHORIZED USERS @01A
*---------------------------------------------------------------------*
*---------------------------------------------------------------------*
TITLE 'CBRUXSAE - SAMPLE OSREQ TX AUTH INSTALLATION EXIT'
*---------------------------------------------------------------------*
* *
* CBRUXSAE ENTRY POINT *
* *
*---------------------------------------------------------------------*
CBRUXSAE CSECT , SAMPLE OSREQ TX AUTH INST EXIT
CBRUXSAE AMODE 31
CBRUXSAE RMODE ANY
SAVE (14,12),, SAVE CALLER'S REGISTERS AND +
'CBRUXSAE&SYSDATE' MARK ENTRY POINT
LR R12,R15 COPY ENTRY POINT ADDRESS
USING CBRUXSAE,R12 CBRUXSAE BASE REGISTER
USING WORKAREA,R9 ADDRESSABILITY TO DATA AREA
ST R13,SAVEAREA+4 BACKWARD CHAIN SAVE AREAS
LA R0,SAVEAREA CBRUXSAE SAVE AREA ADDRESS
ST R0,8(,R13) FORWARD CHAIN SAVE AREAS
LR R13,R0 SET CBRUXSAE SAVE AREA ADDRESS
LR R11,R1 STORE PARAMETERS IN DATA AREA
USING UXSAEINP,R11 ADDRESSABILITY TO PARAMETERS
SPACE 2
*---------------------------------------------------------------------*
* *
* RETURN TO THE CALLER *
* *
*---------------------------------------------------------------------*
EXIT DS 0H
L R13,SAVEAREA+4 RESTORE CALLER'S SAVE AREA
LA R10,UXSAEDIS SET DISABLE RETURN CODE @01A
LR R15,R10 SAVE RETURN CODE @01C
RETURN (14,12), RESTORE CALLER'S REGISTERS, THEN +
RC=(15) RETURN TO CALLER
SPACE 2
END CBRUXSAE