OnDemand User Group
Support Forums => z/OS Server => Topic started by: hakan_carlberg on May 14, 2017, 11:51:43 PM
-
Hi everybody
I've recently found out that its a severe error in the code for OnDemand z/OS V9.5.0.7, when using RACF-checking for Application group authorization.
Let me try to explain:
A) You have a folder(TEST1) that have 2 Application Group( APG A(agid 5100) and APG B(agid 5110))
Now the PERMEXIT only checks for authorization on APG A, because it has the lowest agid, the exit is called 2 times, but both times the Application name supplied to the exit is A both times.
B)You have a folder(TEST2) that have 3 Application Group( APG X(agid 5050) ,APG A(agid 5100) and APG B(agid 5110))
Now the PERMEXIT only checks for authorization on APG X, because it has the lowest agid, the exit is called 3 times, but All times the Application name supplied to the exit is X.
So this means that if the user is authorized to only APG A, then he can't !! open folder TEST2 !!
And when opening folder TEST1, he can see APG A and APG B, although he's not authorized to that , he's only athorized to APG A!!
@Ed: I've opened PMR00540,160,846 for this
/H Carlberg
-
"@Ed" who?
And for the record, if anybody asks, I have no idea who this "Håkan" person is.
Just kidding! Just kidding!
Håkan, what's curious about this one is that your shop must be doing something that no other site is, for this problem to only appear now.
Ed
-
Hi everybody.... except ED !!
::)
Now this issue will only happen under certain circumstances, depending on the agid, because as I see it, the exit only check the first entry(lowest agid) in the folder.
We did an upgrade in Sandbox, test, system-test and 1 prodcution-system before we saw this behaviour. And the first time we noticed it was in production, surprised ?!?!?
And do an downgrade back to 8.5.0 from 9.5. ... No way !!
Regards
/H Carlberg
-
An APAR has been created for everyone except Hakan. ;D
APAR NUMBER
PI81644
ABSTRACT
INCORRECT PARAMETERS WHEN CALLING PERMEXIT
REPORTED COMPONENT ID
5655H3900
ERROR DESCRIPTION
When the PERMEXIT is called after a user has selected a folder
which has numerous Application groups attached, the PERMEXIT
authorization on the APPLGROUP(app_group_name) when entering
PERMEXIT is always the same for the field :
ArcCSXitApplGroup-name.
Ed
-
Hi
so...
"Hakan, what's curious about this one is that your shop must be doing something that no other site is, for this problem to only appear now."
It got to be more Customers that have more than one Application group in one Folder !! ;D ;D ;D
As they said in the Movie "Life of Brian":
Brian(Ed/IBM): Look, you've got it all wrong! You don't NEED to follow ME, You don't NEED to follow ANYBODY!
You've got to think for your selves! You're ALL individuals!
The Crowd(Customers): Yes! We're all individuals!
Brian(Ed/IBM): You're all different!
The Crowd(Customers): Yes, we ARE all different!
Man in crowd(Hakan): I'm not...
/H Carlberg
-
Hi
PI81644, has now a Target date for 17/05/30.
IBM supplied us with the code , so if anybody(except me) was hit by this problem you can probably get it.
But it was based on 9.5.0.8, so you need to get that PTF as well
Regards
/H Carlberg