Is there any way to know via Natural API for RACF, which CICS transaction a user have access to?
Could you please provide a more detailed description of what you are trying to achieve. I tried to get an answer from someone who is familiar with RACF and Natural, he was asking for more information.
I am using EntireX Security on the mainframe (os/390). EXS has a Natural interface to RACF that can provide me some information and also can verify user-id and password.
My question is, if I can use the same natural interface (NA2RES) in order to know what CICS transaction or what resources an user have access to on the mainframe.
I know that NA2RES talk with ‘RACROUTE’ and racroute can give me some info…
For example an user ‘AAAA’ only have access to ‘F100’ and ‘F200’ that are very legacy Cobol and Natural transaction already converted to the web using wrappers.
The user ?BBBB? only has access to ‘F300’ and ‘F400’ already converted to the web too.
The idea is to make a main web portal that authenticates and authorizes an user with RACF (Using EXS) and depending on the information that I can read from NA2RES I will show a page only with the application that the user have access to.
‘AAAA’ will see a page with links to F100 and F200 only .
‘BBBB’ will see a page with links to F300 and F400 only .
according to the “specialist” you can do that.
He mentioned that NA2RES does not exist (in Natural), it’s called NA2NRES. In an NSF environment it is called NSFNRES.
Ok. they are rigth is NA2NRES, I am making some test …
The subprogram ask me for a function and a Class field, and I don’t know exactly what function and class do I need to do that???..
This is an example that give me a list of users names…
LOCAL USING NA2LEQU
LOCAL USING NA2ARES
#RES-FUNC = INDQRDN
#RES-CLAS = ‘USER’
#RES-PROF = ‘A’
#RES-FLDA(1) = ‘PGMRNAME’
REPEAT UNTIL #RES-RETC > 0
CALLNAT ‘NA2NRES’ NA2ARES
DISPLAY #RES-RETC #RES-SERR #RES-PROF #RES-DATA-A(0)
I am trying to find the right function and class in an IBM RACF manual with no succes…
I’m just forwarding the information I received:
The class has to be a defined RACF class, such as USER or GROUP or DATASET or any user-defined class such as ADASEC, NBKSAG and so on.
The valid functions are defined in the LDA NA2LEQU:
1 INDQRTV B 1 INIT<H’01’> /* SF: EXTRACT
1 INDQRDN B 1 INIT<H’02’> /* EXTRACTN
1 INDQUPD B 1 INIT<H’03’> /* EXTRACT U
1 INDQDEF B 1 INIT<H’04’> /* DEFINE
1 INDQDEL B 1 INIT<H’05’> /* DELETE
1 INDQCHK B 1 INIT<H’06’> /* AUTH
1 INDQDES B 1 INIT<H’07’> /* DES
1 INDQHSH B 1 INIT<H’08’> /* HASH
1 INDQINS B 1 INIT<H’09’> /* INSTALLAT
1 INDQSDE B 1 INIT<H’0A’> /* STD DES
1 INDQEXG B 1 INIT<H’0B’> /* EXTRACTN(
1 INDQPCH B 1 INIT<H’0C’> /* AUTH/PROX
So your example is extracting the field programmer name from the next user profile after ?A?.
two IBM links I found helpful to understand the fields being passed to NA2NRES:
Be aware that requests to NA2NRES for resources outside those mentioned in the EXS documentation can cause EntireX Security gateway task to abend, so be sure to use a test environment! (And report any abends to support so they can reduce impact to other users!)
Software AG, Inc