Author Topic: Severe Error in OnDemand when using RACF for Application group checking  (Read 283 times)

hakan_carlberg

  • Jr. Member
  • **
  • Posts: 74
    • View Profile
Hi everybody

I've recently found out that its a severe error in the code for OnDemand z/OS V9.5.0.7, when using RACF-checking for Application group authorization.
Let me try to explain:
A) You have a folder(TEST1) that have 2 Application Group( APG A(agid 5100) and APG B(agid 5110))
Now the PERMEXIT only checks for authorization on APG A, because it has the lowest agid, the exit is called 2 times, but both times the Application name supplied to the exit is A both times.

B)You have a folder(TEST2) that have 3 Application Group( APG X(agid 5050) ,APG A(agid 5100) and APG B(agid 5110))
Now the PERMEXIT only checks for authorization on APG X, because it has the lowest agid, the exit is called 3 times, but All times the Application name supplied to the exit is X.

So this means that if the user is authorized to only APG A, then he can't !! open folder TEST2 !!
And when opening folder TEST1, he can see APG A and APG B, although he's not authorized to that , he's only athorized to APG A!!

@Ed: I've opened PMR00540,160,846 for this



/H Carlberg

Ed_Arnold

  • Hero Member
  • *****
  • Posts: 623
    • View Profile
"@Ed" who? 

And for the record, if anybody asks, I have no idea who this "Håkan" person is. 

Just kidding!  Just kidding!

Håkan, what's curious about this one is that your shop must be doing something that no other site is, for this problem to only appear now.

Ed
#zOS #ODF

hakan_carlberg

  • Jr. Member
  • **
  • Posts: 74
    • View Profile
Hi everybody.... except ED !!

 ::)

Now this issue will only happen under certain circumstances, depending on the agid, because as I see it, the exit only check the first entry(lowest agid) in the folder.

We did an upgrade in Sandbox, test, system-test and 1 prodcution-system before we saw this behaviour. And the first time we noticed it was in production, surprised ?!?!?

And do an downgrade back to 8.5.0 from 9.5. ... No way !!

Regards
/H Carlberg

Ed_Arnold

  • Hero Member
  • *****
  • Posts: 623
    • View Profile
An APAR has been created for everyone except Håkan.   ;D

Quote
APAR NUMBER
PI81644

ABSTRACT

INCORRECT PARAMETERS WHEN CALLING PERMEXIT

REPORTED COMPONENT ID
5655H3900
ERROR DESCRIPTION

When the PERMEXIT is called after a user has selected a folder
which has numerous Application groups attached, the PERMEXIT
authorization on the APPLGROUP(app_group_name) when entering
PERMEXIT is always the same for the field :
ArcCSXitApplGroup-name.

Ed
« Last Edit: May 15, 2017, 03:22:44 PM by Ed_Arnold »
#zOS #ODF

hakan_carlberg

  • Jr. Member
  • **
  • Posts: 74
    • View Profile
Hi

so...
"Håkan, what's curious about this one is that your shop must be doing something that no other site is, for this problem to only appear now."

It got to be more Customers that have more than one Application group in one Folder  !!  ;D ;D ;D

As they said in the Movie "Life of Brian":

Brian(Ed/IBM): Look, you've got it all wrong! You don't NEED to follow ME, You don't NEED to follow ANYBODY!
You've got to think for your selves! You're ALL individuals!

The Crowd(Customers): Yes! We're all individuals!

Brian(Ed/IBM): You're all different!

The Crowd(Customers): Yes, we ARE all different!

Man in crowd(Håkan): I'm not...


/H  Carlberg

hakan_carlberg

  • Jr. Member
  • **
  • Posts: 74
    • View Profile
Hi

PI81644, has now a Target date for 17/05/30.
IBM supplied us with the code , so if anybody(except me) was hit by this problem you can probably get it.
But it was based on 9.5.0.8, so you need to get that PTF as well

Regards
/H Carlberg