Is there some interface that a REXX program can use to ask TSS about permissions, ADMIN authorities etc?
I have this REXX program that is used by data-center folks—let's call them the "users"—to reset passwords and remove suspends for other users—the "victims". Most of the users have ADMIN privileges enabling them to list the victims' ACIDs, but as far as I know none of them ever use it. I want to modify the REXX to pull data from the victims' ACID, but since this is a new feature in a utility that's been around a while, I foresee that some of the users may not have the necessary ADMIN authority. Rather than have the REXX start bombing for those folks, I'd rather be able to check the user's own authorities; if user doesn't have certain ADMIN DATA authorities, the program will have to take some other path.
So how to query the user's own ADMIN powers? Have the folks at CA perhaps made an interface that REXX can call (as exists for RACF)? If there are no doubt workarounds. I can have the REXX actually attempt the TSS LIST command on the victim, and trap the output; that'll work, I think. I might be able to get the REXX to LIST the user's own ACID and parse the result—but can a user without ADMIN authority do a LIST command on his own ID? I don't see whether the manual addresses that. Any other ideas?
There is no direct interface to REXX.
Some potential options:
1. Have the REXX program submit a batch job with the TSS admin commands.
2. Have REXX call on our a program that uses our API TSSAI to make the changes.
3. Have REXX issue make calls to CA LDAP to make the TSS admin changes.
TSS has ISPF panel driven administrative screens that is provided out of the box by TSS. Just wanted to make you aware of it just in case.
Please let me know if you have any questions.
Joseph Porto - CA Level 1 Support
By the way, To answer your question about users without ADMIN authority listing themselves: The user needs an admin DATA authority to perform the listing.
Coïncidentally, I ran across the section on the API in the TSS manuals just a few hours after posting this. I keep thinking I need to write a PL/1 routine that I can call from REXX that'll interface between REXX and some other routines; maybe this time?
No, probably I'll procrastinate again, and find some other way. But thanks, guys; good to know the capability is out there, anyway.
(I expect I can write an external routine in REXX that finds and assembles the necessary parm list, then LINKs to the API. But I haven't written anything in PL/1 in a long while, and I don't want to forget it entirely; it's such a great language.)
It depends, what you mean with "interface".... In TSO (+TSO batch) REXX you can use outtrap(...) + TSS command. If the outtrap stem is large enough, you have the whole TSS list output available in your REXX for further parsing and processing. This could be seen as an "interface" is n't it?
As Joe has already told we don't have direct REXX interface. But you can have a look at our REXX in member
CAKOCLS0(TSSBRWZ) it uses OUTRPAP() to capture TSS command output and put in a dataset.
From there you can do anything you want.
A user type acid cannot list himself, except if he has the admin rights.
You can give some admin rights to the *ALL* record, it will apply to any acid limited by their scope.
It means for user type acid, himself.
tss admin(all) data(basic,admin) will allow any acid to list data basic and admin rights for all acids within his scope.