SAFCHECK
This command issues a RACROUTE to check READ authorization for a resource where the resource name is combined from values specified in BBSEC, values currently in use for SSID, and values passed as parameters to the IMFEXEC SAFCHECK command. The CLASS specified on the RACROUTE command is the same the one as defined in BBSEC during BBI-SS PAS initialization and is stored in the SHARED variable QSAFCLAS.
The following example is of a SAF resource name:
highlevel.ssid.AAO.ssid.USER.suffix
where:
- highlevel is the same as the PREFIX value defined in BBSEC
- ssid is the SSID of the BBI-SS PAS where the EXEC is scheduled
- product is always resolved as AAO
- ssid is the SSID of the BBI-SS PAS where the EXEC is scheduled
- suffix is always resolved as USER, with the value from the SUFFIX() keyword on the IMFEXEC SAFCHECK command concatenated as the final qualifier
The following table describes the parameters:
Parameter | Function | Notes |
|---|---|---|
USER or USR | Supplies the user ID that should be used to validate authority | This keyword is required. It may be a constant or a variable such as &IMFRUSER. |
SUFFIX or SFX | Supplies the suffix of the resource that will be checked by SAF. | This keyword is required. The specified value can be from 1-8 characters in length and must start with an alpha character. The value should be fully defined; do not use characters that are wildcard or generic specification characters to the ESM. Note that a value that is syntactically incorrect for the ESM being used will not be reported as syntax error (IMFCC=16), but instead, will be passed to the ESM as is. It is your responsibility to select the correct values for the ESM. The value of the SUFFIX () keyword is appended to the constant of USER. to create the complete suffix of the SAF resource name. For example, if SUFFIX(MYCMDS) is specified, the complete suffix used in the SAF resource name is: USER.MYCMDS |
DEBUG | Requests debugging messages | This keyword is optional. The default is DEBUG(NO). Use the keyword to request debugging messages to assist in verification or for resolving a problem. |
Condition codes are listed in the following table:
Value | Description |
|---|---|
0 | ESM indicated the user has READ access. |
4 | ESM indicates that the resource was not defined. |
8 | ESM returned a return code of 8 or higher meaning that the user does not have READ authority. |
12 | SAF security is not active in this BBI-SS PAS |
16 | A syntax error was found in the command, a required keyword is missing, or a value specified for a keyword is invalid. |
24 | Internal error occurred. |
Example 1
The following example shows how to secure an EXEC that is scheduled by a Rule to issue one or more MVS commands:
"IMFEXEC SAFCHECK USER("IMFRUSER") SUFFIX(MVSCMDS)"
"IMFEXEC VDCL ASML1 LIST(V1 V2 V3 V4 IPLTYPE V6 V7)"
This statement causes a RACROUTE call that uses the following resource name:
Example 2
The following example shows how to secure the use of an IMFEXEC ALERT command in an EXEC scheduled by a Rule.
Insert the following statement in the EXEC just before the command and check the IMFCC condition code following it.
"IMFEXEC SAFCHECK USER("IMFRUSER") SUFFIX(ALRTCMD)"
This statement causes a RACROUTE call that uses the following resource name: