diff --git a/zOS-RACF/Downloads/RACFJsec/CreateGroupsAndMembers.java b/zOS-RACF/Downloads/RACFJsec/CreateGroupsAndMembers.java new file mode 100644 index 00000000..e878f7a0 --- /dev/null +++ b/zOS-RACF/Downloads/RACFJsec/CreateGroupsAndMembers.java @@ -0,0 +1,157 @@ +/* */ +/* Copyright 2023 IBM Corp. */ +/* */ +/* Licensed under the Apache License, Version 2.0 (the "License"); */ +/* you may not use this file except in compliance with the License. */ +/* You may obtain a copy of the License at */ +/* */ +/* http://www.apache.org/licenses/LICENSE-2.0 */ +/* */ +/* Unless required by applicable law or agreed to in writing, */ +/* software distributed under the License is distributed on an */ +/* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, */ +/* either express or implied. See the License for the specific */ +/* language governing permissions and limitations under the License. */ +/* */ +import com.ibm.eserver.zos.racf.userregistry.*; +import com.ibm.security.userregistry.*; +import javax.naming.*; +import javax.naming.directory.*; +import java.util.Enumeration; + +public class CreateGroupsAndMembers { + + + public static void main(String[] args) + { + SecAdmin racfAdmin = null; + UserGroup dwarves = null; + User dwarf; + + ///////////////////////////////////////////////////////////////////// + // Instantiate RACF_remote object with connection data: + ///////////////////////////////////////////////////////////////////// + + RACF_remote remote = new RACF_remote("ldap://alps4014.pok.ibm.com:389", + "simple", + "IBMUSER", // userid for sample/testing + "secret", // password during testing + "o=racfdb,c=us"); // ldap suffix on sample/test system + + ///////////////////////////////////////////////////////////////////// + // Create a new RACF_SecAdmin object. This will create connection + // to RACF database with authority of userid provided in RACF_remote + // object. + ///////////////////////////////////////////////////////////////////// + try + { + racfAdmin = new RACF_SecAdmin(remote); + } + catch (SecAdminException e) + { + System.out.println("Unable to connect to specified RACF database. "+e.getMessage()); + return; + } + + + ///////////////////////////////////////////////////////////////////// + // Define create a group named dwarves + ///////////////////////////////////////////////////////////////////// + try + { + dwarves = racfAdmin.createGroup("dwarves", null); + System.out.println("We just created a group called Dwarves."); + } + catch (SecAdminException e) + { + System.out.println("Unable to create group 'dwarves'. "+e.getMessage()); + return; + } + + ///////////////////////////////////////////////////////////////////// + // Show the members of Dwarves + ///////////////////////////////////////////////////////////////////// + System.out.println("Dwarves Members:"); + for (Enumeration ae = dwarves.members(); ae.hasMoreElements();) + { + User user = (User)ae.nextElement(); + System.out.println(user.getName()); + } + + ///////////////////////////////////////////////////////////////////// + // Add some members to Dwarves + ///////////////////////////////////////////////////////////////////// + try + { + System.out.println("Now we are going to add some members."); + dwarves.addMember(racfAdmin.createUser("Sleepy",null)); + dwarves.addMember(racfAdmin.createUser("Grumpy",null)); + dwarves.addMember(racfAdmin.createUser("Sneezy",null)); + dwarves.addMember(racfAdmin.createUser("Dopey",null)); + dwarves.addMember(racfAdmin.createUser("Bashful",null)); + dwarves.addMember(racfAdmin.createUser("Happy",null)); + dwarves.addMember(racfAdmin.createUser("Doc",null)); + } + catch (SecAdminException e) + { + System.out.println("Exception trying to add members to group 'dwarves'. "+e.getMessage()); + return; + } + + ///////////////////////////////////////////////////////////////////// + // Again, show the members of Dwarves + ///////////////////////////////////////////////////////////////////// + System.out.println("Dwarves Members:"); + for (Enumeration ae = dwarves.members(); ae.hasMoreElements();) + { + User user = (User)ae.nextElement(); + System.out.println(user.getName()); + } + + ///////////////////////////////////////////////////////////////////// + // Now let's modify the membership attributes of User Doc + ///////////////////////////////////////////////////////////////////// + try + { + System.out.println("Doc is leader of the group, should be SPECIAL."); + ModificationItem mods[] = new ModificationItem[1]; + mods[0] = new ModificationItem(DirContext.ADD_ATTRIBUTE, + new BasicAttribute("BASE_SPECIAL")); + dwarf = racfAdmin.getUser("DOC"); + dwarves.modifyMembershipAttributes(dwarf,mods); + + } + catch (SecAdminException e) + { + System.out.println("Error modifying membership attributes "+e.getMessage()); + return; + } + + + ////////////////////////////////////////////////////////////////////////// + // Display the membership attributes of Doc and Happy + ////////////////////////////////////////////////////////////////////////// + try + { + BasicAttributes member_at = dwarves.getMembershipAttributes(dwarf); + System.out.println("Membership attributes returned for DOC are: "); + RACF_SecAdmin.displayAttributes(member_at); + + // Now we are going to get and display the membership attributes of HAPPY + dwarf = racfAdmin.getUser("HAPPY"); + member_at = dwarves.getMembershipAttributes(dwarf); + System.out.println("Membership attributes returned for HAPPY are: "); + RACF_SecAdmin.displayAttributes(member_at); + } + catch (SecAdminException e) + { + System.out.println("Error retrieving membership attributes "+e.getMessage()); + return; + } + + + + + } + +} diff --git a/zOS-RACF/Downloads/RACFJsec/CreateProtectedUserid.java b/zOS-RACF/Downloads/RACFJsec/CreateProtectedUserid.java new file mode 100644 index 00000000..aa9e9aef --- /dev/null +++ b/zOS-RACF/Downloads/RACFJsec/CreateProtectedUserid.java @@ -0,0 +1,89 @@ +/* */ +/* Copyright 2023 IBM Corp. */ +/* */ +/* Licensed under the Apache License, Version 2.0 (the "License"); */ +/* you may not use this file except in compliance with the License. */ +/* You may obtain a copy of the License at */ +/* */ +/* http://www.apache.org/licenses/LICENSE-2.0 */ +/* */ +/* Unless required by applicable law or agreed to in writing, */ +/* software distributed under the License is distributed on an */ +/* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, */ +/* either express or implied. See the License for the specific */ +/* language governing permissions and limitations under the License. */ +/* */ +import com.ibm.eserver.zos.racf.userregistry.*; +import com.ibm.security.userregistry.*; +import javax.naming.*; +import javax.naming.directory.*; + +public class CreateProtectedUserid { + + + public static void main(String[] args) + { + SecAdmin racfAdmin = null; + User protect = null; + ///////////////////////////////////////////////////////////////////// + // Instantiate RACF_remote object with connection data: + ///////////////////////////////////////////////////////////////////// + RACF_remote remote = new RACF_remote("ldap://alps4014.pok.ibm.com:389", + "simple", + "IBMUSER", // userid for sample/testing + "secret", // password during testing + "o=racfdb,c=us"); // ldap suffix on sample/test system + + ///////////////////////////////////////////////////////////////////// + // Create a new RACF_SecAdmin object. This will create connection + // to RACF database with authority of userid provided in RACF_remote + // object. + ///////////////////////////////////////////////////////////////////// + try + { + racfAdmin = new RACF_SecAdmin(remote); + } + catch (SecAdminException e) + { + System.out.println("Unable to connect to specified RACF database. "+e.getMessage()); + return; + } + + + ///////////////////////////////////////////////////////////////////// + // Define the user attributes and create the user + ///////////////////////////////////////////////////////////////////// + try + { + BasicAttributes ba = new BasicAttributes(); + BasicAttribute pwd = new BasicAttribute("base_password"); + pwd.add("nopassword"); + ba.put(pwd); + protect = racfAdmin.createUser("protect", ba); + System.out.println("Successfully created userid 'protect'."); + } + catch (SecAdminException e) + { + System.out.println("Unable to create user 'protect'. "+e.getMessage()); + return; + } + + ///////////////////////////////////////////////////////////////////// + // Get the user attributes of the recently created user + // and display the BASE_PASSWORD attribute + ///////////////////////////////////////////////////////////////////// + try + { + BasicAttributes prot_at = protect.getAttributes(); + System.out.println(prot_at.get("BASE_PASSWORD")); + } + catch (SecAdminException e) + { + System.out.println("Error retrieving attributes "+e.getMessage()); + return; + } + + + } + +} diff --git a/zOS-RACF/Downloads/RACFJsec/CreateTSOUserid.java b/zOS-RACF/Downloads/RACFJsec/CreateTSOUserid.java new file mode 100644 index 00000000..57d8f5dc --- /dev/null +++ b/zOS-RACF/Downloads/RACFJsec/CreateTSOUserid.java @@ -0,0 +1,91 @@ +/* */ +/* Copyright 2023 IBM Corp. */ +/* */ +/* Licensed under the Apache License, Version 2.0 (the "License"); */ +/* you may not use this file except in compliance with the License. */ +/* You may obtain a copy of the License at */ +/* */ +/* http://www.apache.org/licenses/LICENSE-2.0 */ +/* */ +/* Unless required by applicable law or agreed to in writing, */ +/* software distributed under the License is distributed on an */ +/* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, */ +/* either express or implied. See the License for the specific */ +/* language governing permissions and limitations under the License. */ +/* */ +import com.ibm.eserver.zos.racf.userregistry.*; +import com.ibm.security.userregistry.*; +import javax.naming.*; +import javax.naming.directory.*; + +public class CreateTSOUserid { + + + public static void main(String[] args) + { + SecAdmin racfAdmin = null; + User catuser = null; + ///////////////////////////////////////////////////////////////////// + // Instantiate RACF_remote object with connection data: + ///////////////////////////////////////////////////////////////////// + RACF_remote remote = new RACF_remote("ldap://alps4014.pok.ibm.com:389", + "simple", + "IBMUSER", // userid for sample/testing + "secret", // password during testing + "o=racfdb,c=us"); // ldap suffix on sample/test system + + ///////////////////////////////////////////////////////////////////// + // Create a new RACF_SecAdmin object. This will create connection + // to RACF database with authority of userid provided in RACF_remote + // object. + ///////////////////////////////////////////////////////////////////// + try + { + racfAdmin = new RACF_SecAdmin(remote); + } + catch (SecAdminException e) + { + System.out.println("Unable to connect to specified RACF database. "+e.getMessage()); + return; + } + + + ///////////////////////////////////////////////////////////////////// + // Define the user attributes and create the user + ///////////////////////////////////////////////////////////////////// + try + { + BasicAttributes ba = new BasicAttributes(); + BasicAttribute pwd = new BasicAttribute("base_password"); + pwd.add("meow"); // cat simply has to enter �meow� to log on + pwd.add("noexpired"); + ba.put(pwd); + ba.put(new BasicAttribute("TSO")); + catuser = (User)racfAdmin.createUser("cat", ba); + System.out.println("You have successfully created TSO user cat, password meow. Try logging on if you don't believe me."); + } + catch (SecAdminException e) + { + System.out.println("Unable to create user 'cat'. "+e.getMessage()); + return; + } + + ///////////////////////////////////////////////////////////////////// + // Get the user attributes of the recently created user + // and display the BASE_PASSWORD attribute + ///////////////////////////////////////////////////////////////////// + try + { + BasicAttributes u_at = catuser.getAttributes(); + System.out.println(u_at.get("BASE_PASSWORD")); + } + catch (SecAdminException e) + { + System.out.println("Error retrieving attributes "+e.getMessage()); + return; + } + + + } + +} diff --git a/zOS-RACF/Downloads/RACFJsec/DeleteGroupWithMembers.java b/zOS-RACF/Downloads/RACFJsec/DeleteGroupWithMembers.java new file mode 100644 index 00000000..c53a1523 --- /dev/null +++ b/zOS-RACF/Downloads/RACFJsec/DeleteGroupWithMembers.java @@ -0,0 +1,142 @@ +/* */ +/* Copyright 2023 IBM Corp. */ +/* */ +/* Licensed under the Apache License, Version 2.0 (the "License"); */ +/* you may not use this file except in compliance with the License. */ +/* You may obtain a copy of the License at */ +/* */ +/* http://www.apache.org/licenses/LICENSE-2.0 */ +/* */ +/* Unless required by applicable law or agreed to in writing, */ +/* software distributed under the License is distributed on an */ +/* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, */ +/* either express or implied. See the License for the specific */ +/* language governing permissions and limitations under the License. */ +/* */ +import com.ibm.eserver.zos.racf.userregistry.*; +import com.ibm.security.userregistry.*; +import javax.naming.*; +import javax.naming.directory.*; +import java.util.Enumeration; + +public class DeleteGroupWithMembers { + + + public static void main(String[] args) + { + SecAdmin racfAdmin = null; + UserGroup dwarves = null; + User dwarf; + + ///////////////////////////////////////////////////////////////////// + // Instantiate RACF_remote object with connection data: + ///////////////////////////////////////////////////////////////////// + + RACF_remote remote = new RACF_remote("ldap://alps4014.pok.ibm.com:389", + "simple", + "IBMUSER", // userid for sample/testing + "secret", // password during testing + "o=racfdb,c=us"); // ldap suffix on sample/test system + + ///////////////////////////////////////////////////////////////////// + // Create a new RACF_SecAdmin object. This will create connection + // to RACF database with authority of userid provided in RACF_remote + // object. + ///////////////////////////////////////////////////////////////////// + try + { + racfAdmin = new RACF_SecAdmin(remote); + } + catch (SecAdminException e) + { + System.out.println("Unable to connect to specified RACF database. "+e.getMessage()); + return; + } + + + ///////////////////////////////////////////////////////////////////// + // Show the members of Dwarves + ///////////////////////////////////////////////////////////////////// + System.out.println("Dwarves Members:"); + try + { + dwarves = racfAdmin.getGroup("dwarves"); + } + catch (SecAdminException e) + { + System.out.println("Problem getting userGroup 'dwarves'. "+e.getMessage()); + return; + } + Enumeration ae = dwarves.members(); + if (ae == null) + { + System.out.println("None"); + } + else + { + while(ae.hasMoreElements()) + { + User user = (User)ae.nextElement(); + System.out.println(user.getName()); + } + } + ///////////////////////////////////////////////////////////////////// + // Now delete the users (Dwarves) + ///////////////////////////////////////////////////////////////////// + try + { + System.out.println("Now we delete the userids that belonged to Dwarves."); + System.out.println( + "We could also just remove them from the group, but we delete so CreateGroupsandMembers can create them."); + racfAdmin.deleteUser("Sleepy"); + racfAdmin.deleteUser("Grumpy"); + racfAdmin.deleteUser("Sneezy"); + racfAdmin.deleteUser("Dopey"); + racfAdmin.deleteUser("Bashful"); + racfAdmin.deleteUser("Happy"); + racfAdmin.deleteUser("Doc"); + } + catch (SecAdminException e) + { + System.out.println("Exception trying to delete users. "+e.getMessage()); + return; + } + + + ///////////////////////////////////////////////////////////////////// + // Again, show the members of Dwarves + ///////////////////////////////////////////////////////////////////// + System.out.println("Dwarves Members:"); + ae = dwarves.members(); + if (ae == null) + { + System.out.println("None"); + } + else + { + while(ae.hasMoreElements()) + { + User user = (User)ae.nextElement(); + System.out.println(user.getName()); + } + } + + ///////////////////////////////////////////////////////////////////// + // Finally delete the group named dwarves + ///////////////////////////////////////////////////////////////////// + try + { + racfAdmin.deleteGroup("dwarves"); + System.out.println("We just deleted a group called Dwarves."); + } + catch (SecAdminException e) + { + System.out.println("Unable to delete group 'dwarves'. "+e.getMessage()); + return; + } + + + + } + +} diff --git a/zOS-RACF/Downloads/RACFJsec/DeleteProtectedUserid.java b/zOS-RACF/Downloads/RACFJsec/DeleteProtectedUserid.java new file mode 100644 index 00000000..c6b92a29 --- /dev/null +++ b/zOS-RACF/Downloads/RACFJsec/DeleteProtectedUserid.java @@ -0,0 +1,69 @@ +/* */ +/* Copyright 2023 IBM Corp. */ +/* */ +/* Licensed under the Apache License, Version 2.0 (the "License"); */ +/* you may not use this file except in compliance with the License. */ +/* You may obtain a copy of the License at */ +/* */ +/* http://www.apache.org/licenses/LICENSE-2.0 */ +/* */ +/* Unless required by applicable law or agreed to in writing, */ +/* software distributed under the License is distributed on an */ +/* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, */ +/* either express or implied. See the License for the specific */ +/* language governing permissions and limitations under the License. */ +/* */ +import com.ibm.eserver.zos.racf.userregistry.*; +import com.ibm.security.userregistry.*; +import javax.naming.*; +import javax.naming.directory.*; + +public class DeleteProtectedUserid { + + + public static void main(String[] args) + { + SecAdmin racfAdmin = null; + User protect = null; + ///////////////////////////////////////////////////////////////////// + // Instantiate RACF_remote object with connection data: + ///////////////////////////////////////////////////////////////////// + RACF_remote remote = new RACF_remote("ldap://alps4014.pok.ibm.com:389", + "simple", + "IBMUSER", // userid for sample/testing + "secret", // password during testing + "o=racfdb,c=us"); // ldap suffix on sample/test system + + ///////////////////////////////////////////////////////////////////// + // Create a new RACF_SecAdmin object. This will create connection + // to RACF database with authority of userid provided in RACF_remote + // object. + ///////////////////////////////////////////////////////////////////// + try + { + racfAdmin = new RACF_SecAdmin(remote); + } + catch (SecAdminException e) + { + System.out.println("Unable to connect to specified RACF database. "+e.getMessage()); + return; + } + + + //////////////////////////////////////////////////////////////////// + // Now delete the userid we just created, so the testcase can be + // run repeatedly. + ///////////////////////////////////////////////////////////////////// + try + { + racfAdmin.deleteUser("protect"); + System.out.println("Successfully deleted userid 'protect'."); + } + catch (Exception e) + { + System.out.println("Exception deleting user protect: "+e.getMessage()); + } + + } + +} diff --git a/zOS-RACF/Downloads/RACFJsec/DeleteTSOUserid.java b/zOS-RACF/Downloads/RACFJsec/DeleteTSOUserid.java new file mode 100644 index 00000000..f8125fd4 --- /dev/null +++ b/zOS-RACF/Downloads/RACFJsec/DeleteTSOUserid.java @@ -0,0 +1,69 @@ +/* */ +/* Copyright 2023 IBM Corp. */ +/* */ +/* Licensed under the Apache License, Version 2.0 (the "License"); */ +/* you may not use this file except in compliance with the License. */ +/* You may obtain a copy of the License at */ +/* */ +/* http://www.apache.org/licenses/LICENSE-2.0 */ +/* */ +/* Unless required by applicable law or agreed to in writing, */ +/* software distributed under the License is distributed on an */ +/* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, */ +/* either express or implied. See the License for the specific */ +/* language governing permissions and limitations under the License. */ +/* */ +import com.ibm.eserver.zos.racf.userregistry.*; +import com.ibm.security.userregistry.*; +import javax.naming.*; +import javax.naming.directory.*; + +public class DeleteTSOUserid { + + + public static void main(String[] args) + { + SecAdmin racfAdmin = null; + User protect = null; + ///////////////////////////////////////////////////////////////////// + // Instantiate RACF_remote object with connection data: + ///////////////////////////////////////////////////////////////////// + RACF_remote remote = new RACF_remote("ldap://alps4014.pok.ibm.com:389", + "simple", + "IBMUSER", // userid for sample/testing + "secret", // password during testing + "o=racfdb,c=us"); // ldap suffix on sample/test system + + ///////////////////////////////////////////////////////////////////// + // Create a new RACF_SecAdmin object. This will create connection + // to RACF database with authority of userid provided in RACF_remote + // object. + ///////////////////////////////////////////////////////////////////// + try + { + racfAdmin = new RACF_SecAdmin(remote); + } + catch (SecAdminException e) + { + System.out.println("Unable to connect to specified RACF database. "+e.getMessage()); + return; + } + + + //////////////////////////////////////////////////////////////////// + // Now delete the userid we just created, so the testcase can be + // run repeatedly. + ///////////////////////////////////////////////////////////////////// + try + { + racfAdmin.deleteUser("cat"); + System.out.println("Successfully deleted userid 'cat'."); + } + catch (Exception e) + { + System.out.println("Exception deleting user cat: "+e.getMessage()); + } + + } + +} diff --git a/zOS-RACF/Downloads/RACFJsec/JSec_Webpages.zip b/zOS-RACF/Downloads/RACFJsec/JSec_Webpages.zip new file mode 100644 index 00000000..74be78d5 Binary files /dev/null and b/zOS-RACF/Downloads/RACFJsec/JSec_Webpages.zip differ diff --git a/zOS-RACF/Downloads/RACFJsec/JSec_javadoc.zip b/zOS-RACF/Downloads/RACFJsec/JSec_javadoc.zip new file mode 100644 index 00000000..385f46eb Binary files /dev/null and b/zOS-RACF/Downloads/RACFJsec/JSec_javadoc.zip differ diff --git a/zOS-RACF/Downloads/RACFJsec/JSec_javadoc_OA43482.zip b/zOS-RACF/Downloads/RACFJsec/JSec_javadoc_OA43482.zip new file mode 100644 index 00000000..4e9f96d3 Binary files /dev/null and b/zOS-RACF/Downloads/RACFJsec/JSec_javadoc_OA43482.zip differ diff --git a/zOS-RACF/Downloads/RACFJsec/SearchUsersAndGroups.java b/zOS-RACF/Downloads/RACFJsec/SearchUsersAndGroups.java new file mode 100644 index 00000000..8fbd429b --- /dev/null +++ b/zOS-RACF/Downloads/RACFJsec/SearchUsersAndGroups.java @@ -0,0 +1,208 @@ +/* */ +/* Copyright 2023 IBM Corp. */ +/* */ +/* Licensed under the Apache License, Version 2.0 (the "License"); */ +/* you may not use this file except in compliance with the License. */ +/* You may obtain a copy of the License at */ +/* */ +/* http://www.apache.org/licenses/LICENSE-2.0 */ +/* */ +/* Unless required by applicable law or agreed to in writing, */ +/* software distributed under the License is distributed on an */ +/* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, */ +/* either express or implied. See the License for the specific */ +/* language governing permissions and limitations under the License. */ +/* */ +import java.util.Enumeration; +import java.util.Hashtable; + +import com.ibm.security.userregistry.*; +import com.ibm.eserver.zos.racf.userregistry.*; + +import javax.naming.directory.BasicAttribute; +import javax.naming.directory.BasicAttributes; +import javax.naming.directory.DirContext; +import javax.naming.directory.InitialDirContext; +import javax.naming.directory.ModificationItem; +import javax.naming.directory.SearchControls; +import javax.naming.directory.SearchResult; +import javax.naming.*; + + + +//////////////////////////////////////////////////////////////////////////////////////// +// The following sample code can be used to search a RACF database for users or groups +// that begin with a particular string. The default of an +// empty string shown below will return all users and groups. +// But one could use 'java SearchUsersAndGroups b' to find all users +// and groups that begin with the letter 'B'. +//////////////////////////////////////////////////////////////////////////////////////// +public class SearchUsersAndGroups { + + + public static void main(String[] args) + { + String search_string; + InitialDirContext ctx = null; + NamingEnumeration answer = null; + + + if (args.length > 0) + { + search_string = args[0]; + } + else search_string = ""; + +///////////////////////////////////////////////////////////////////////////////// +// We define a RACF_remote object not to get a RACF_SecAdmin object, but +// simply because this is how we have defined our connection information in +// all the other samples. We use the RACF_remote object in such a way that +// the rest of the code could be cut and pasted into code that was using JSec. +//////////////////////////////////////////////////////////////////////////////// + RACF_remote remote = new RACF_remote("ldap://alps4014.pok.ibm.com:389", + "simple", + "IBMUSER", + "secret", // password during testing + "o=racfdb,c=us"); + + +//////////////////////////////////////////////////////////////////////////////// +// The following code is using LDAP/SDBM to connect to RACF +/////////////////////////////////////////////////////////////////////////////// + String ldap_suffix = remote.getConnect_suffix(); // diff for each system + + try + { + SecAdmin racfAdmin = new RACF_SecAdmin(remote); + if (racfAdmin != null) + { + Hashtable hashtable = new Hashtable(7); + hashtable.put(Context.INITIAL_CONTEXT_FACTORY, + "com.sun.jndi.ldap.LdapCtxFactory"); + hashtable.put(Context.PROVIDER_URL, remote.getConnect_url() ); + hashtable.put(Context.SECURITY_AUTHENTICATION, "simple"); // if second parm to RACF_REMOTE is 'secure' then use 'ssl' here + String dn = "racfid=" + remote.getConnect_principal() + ",profiletype=user," + remote.getConnect_suffix(); + hashtable.put(Context.SECURITY_PRINCIPAL, dn); + hashtable.put(Context.SECURITY_CREDENTIALS, remote.getConnect_credentials()); + + try + { + // Create initial context + ctx = new InitialDirContext(hashtable); + } catch (NamingException e) + { + System.out.println("Error initially connecting to LDAP/SDBM."+e.getMessage()); + } + + +//////////////////////////////////////////////////////////////////////////////// +// Initialize some parameters we'll need +/////////////////////////////////////////////////////////////////////////////// + String[] attrIDs = {"racfid"}; + SearchControls ctls = new SearchControls(); + ctls.setReturningAttributes(attrIDs); + //Specify the search scope + ctls.setSearchScope(SearchControls.SUBTREE_SCOPE); + + String filter = "racfid="+search_string+"*"; + System.out.println("filter looks like: "+filter); + + +//////////////////////////////////////////////////////////////////////////////// +// the specific code for searching for users +/////////////////////////////////////////////////////////////////////////////// + try + { + answer = ctx.search("profiletype=user,"+ldap_suffix, filter,ctls); + } + catch (javax.naming.NamingException ne) + { + String e_text = ne.getMessage(); + if (e_text.toUpperCase().indexOf("NO ENTRIES MEET SEARCH CRITERIA") > -1) + answer = null; + else throw ne; + } + +//////////////////////////////////////////////////////////////////////////////// +// Display any userids we find +/////////////////////////////////////////////////////////////////////////////// + if (answer != null) + { + while (answer.hasMoreElements()) { + SearchResult sr = (SearchResult)answer.next(); + System.out.println("Userid: " + deLDAP(sr.getName())); + } + } + else System.out.println("System didn't find matching user"); + +//////////////////////////////////////////////////////////////////////////////// +// the specific code for searching for groups +/////////////////////////////////////////////////////////////////////////////// + try + { + answer = ctx.search("profiletype=group,"+ldap_suffix, filter,ctls); + } + catch (javax.naming.NamingException ne) + { + String e_text = ne.getMessage(); + if (e_text.toUpperCase().indexOf("NO ENTRIES MEET SEARCH CRITERIA") > -1) + answer = null; + else throw ne; + } + + +//////////////////////////////////////////////////////////////////////////////// +// Display any groupnames we find +/////////////////////////////////////////////////////////////////////////////// + if (answer != null) + { + while (answer.hasMoreElements()) { + SearchResult sr = (SearchResult)answer.next(); + System.out.println("Group: " + deLDAP(sr.getName())); + } + } + else System.out.println("System didn't find matching group"); + + + + } // end if racf_admin is not null + } catch (Exception e) + { + System.out.println("Exception in SearchUsersAndGroups.java " + e.getMessage() + "\n"); + e.printStackTrace(); + } + + } + + /** + * + * @param in String that may or may not be a userid or groupname in LDAP DN format + * @return String that is striped of any LDAP stuff + * + * example: in: "racfid=IBMUSER,profiletype=USER,o=racfdb,c=us" + * returns "IBMUSER" + */ + protected static String deLDAP(String in) + { + + if (in == null) // protect against bad input + return in; + + String out; + String lower_in = in.toLowerCase(); + + String racfid = "racfid="; + int pos = lower_in.indexOf("racfid="); + if (pos > -1) + { + int comma = in.indexOf(',',pos); + if (comma > -1) + out = in.substring(pos+racfid.length(),comma); + else out = in.substring(pos+racfid.length()); + return out; + } + else return in; + } + + +} diff --git a/zOS-RACF/Downloads/RACFJsec/ShowAttributes.html b/zOS-RACF/Downloads/RACFJsec/ShowAttributes.html new file mode 100644 index 00000000..f9621a48 --- /dev/null +++ b/zOS-RACF/Downloads/RACFJsec/ShowAttributes.html @@ -0,0 +1,20 @@ + + + +
+User Attributes | |||||
---|---|---|---|---|---|
Attribute Name | Description | Modifiable | Segment | Boolean Attribute | Multi-Value Attribute |
BASE_ADSP | All permanent tape and DASD data sets created by user are automatically RACF-protected by discrete profiles. | Yes | No | Yes | No |
BASE_AUDITOR | Indicates user has full responsibility for auditing the use of system resources, and is able to control the logging of detected accesses to any RACF-protected resources during RACF authorization checking and accesses to the RACF database. | Yes | No | Yes | No |
BASE_CATEGORY | Name(s) of installation-defined security categories, which must be defined as members of the CATEGORY profile in the SECDATA class. | Yes | No | No | Yes |
BASE_CLAUTH | Classes in which user is allowed to define profiles to RACF for protection. Classes can be USER, and any resource classes defined in the class descriptor table. | Yes | No | No | Yes |
BASE_CREATED | The date this user was defined to RACF. | No | No | No | No |
BASE_DATA | Up to 255 characters of installation-defined data. | Yes | No | No | No |
BASE_DAYS | Days of week user is allowed access system from a terminal - Allowed values: ANYDAY, WEEKDAYS, SUNDAY, MONDAY, TUESDAY, WEDNESDAY, THURSDAY, FRIDAY, SATURDAY. | Yes | No | No | Yes |
BASE_DFLTGRP | Name of RACF group which is the default group for user. | Yes | No | No | No |
BASE_GRPACC | Indicates that any group data sets protected by DATASET profiles defined by this user are automatically accessible to other users in the group. | Yes | No | Yes | No |
BASE_LAST-ACCESS | The date and time the user last entered the system. | No | No | No | No |
BASE_MODEL | Name of discrete data set profile used as model when new data set profiles are created that have this userid as the high-level qualifier. | Yes | No | No | No |
BASE_NAME | User's name - a name associated with userid - maximum of 20 characters. | Yes | No | No | No |
BASE_OPERATIONS | User has OPERATIONS segment. | Yes | No | Yes | No |
BASE_OWNER | RACF userid or groupname of owner of this userid. | Yes | No | No | No |
BASE_PASS-INTERVAL | The password change interval (in number of days). | No | No | No | No |
BASE_PASSDATE | The date the user's password was last updated. | No | No | No | No |
BASE_PASSWORD | When setting, value is new password. When getting, simply indicates if user has password or is restricted userid (no password). | Yes | No | No | No |
BASE_PASSWORD_ENV | User's password, encrypted in PKCS#7 envelope. Only returned if password enveloping has been set up and userid that authenticated in RACF_SecAdmin constructor has digital certificate on IRR.PWENV.KEYRING keyring. | No | No | No | No |
BASE_PHRASE | The user's pass phrase. A text string of 14-100 characters. | Yes | No | No | No |
BASE_PHRASE_CHANGE_DATE | Date user's pass phrase was last changed. | No | No | No | No |
BASE_RESTRICTED | Indicates global access checking is bypassed when resource access checking is performed for this user, and neither ID(*) on the access list nor the UACC will allow access. | Yes | No | Yes | No |
BASE_RESUME | Date when RACF will resume allowing the user access to the system. Date in format mm/dd/yy. | Yes | No | No | No |
BASE_REVOKE | Date when RACF will stop allowing the user access to the system. Date in format mm/dd/yy. | Yes | No | No | No |
BASE_REVOKED | User's access to the system is currently revoked. | No | No | Yes | No |
BASE_SECLABEL | Installation-defined security label which is user's default security label. | Yes | No | No | No |
BASE_SECLEVEL | User's security level, where seclevel-name is an installation-defined name that must be a member of the SECLEVEL profile in the SECDATA class. | Yes | No | No | No |
BASE_SPECIAL | Indicates user is allowed to issue all RACF commands with all operands except operands that require AUDITOR attribute. | Yes | No | Yes | No |
BASE_TIME | Time of day user is allowed access system from a terminal. Format is start-time:end-time and each time's format is hhmm, where hh is the hour (00-23) and mm is the minutes (00-59). But 0000 is not a valid time value. If start-time is greater than end-time, interval spans midnight. | Yes | No | No | No |
BASE_UAUDIT | Indicates RACF is to log all RACROUTE REQUEST=AUTH and RACROUTE REQUEST=FASTAUTH services eligible for logging, and all RACROUTE REQUEST=DEFINE services issued for the user, and all RACF commands (except SEARCH, LISTDSD, LISTGRP, LISTUSER, and RLIST) issued by user. | Yes | No | Yes | No |
BASE_USERID | Userid | No | No | No | No |
CICS | User has CICS segment. | Yes | Yes | Yes | No |
CICS_OPCLASS | Numbers 1-24, representing classes assigned to this operator to which BMS (basic mapping support) messages are to be routed. | Yes | No | No | Yes |
CICS_OPIDENT | A 1-3 character identification of the operator for use by BMS. | Yes | No | No | No |
CICS_OPPRTY | Number from 0-255 that represents the priority of the operator. | Yes | No | No | No |
CICS_RSLKEY | Specifies the resource security level (RSL) keys assigned to the user. Numbers from 1 - 24 or 0 (meaning no RSL keys are assigned to the user) or 99 (meaning 1 through 24 are assigned to the user). | Yes | No | No | Yes |
CICS_TIMEOUT | Time, in hours and minutes, that the operator is allowed to be idle before being signed off. The value for TIMEOUT can be entered in the form m, mm, hmm, or hhmm, where the value for m or mm is 00-59, or 00-60 if h or hh is not specified or is specified as 0 or 00. | Yes | No | No | No |
CICS_TSLKEY | Specifies the transaction security level (TSL) keys assigned to the user. Numbers from 1 - 64 or 0 (meaning no TSL keys are assigned to the user) or 99 (meaning 1 through 64 are assigned to the user). | Yes | No | No | Yes |
CICS_XRFSOFF | Indicates whether the user is signed off by CICS when an XRF takeover occur. Valid values 'FORCE', 'NOFORCE'. | Yes | No | No | No |
DCE | User has DCE segment. | Yes | Yes | Yes | No |
DCE_AUTOLOGIN | Indicates z/OS UNIX DCE is to log this user into z/OS UNIX DCE automatically. | Yes | No | Yes | No |
DCE_DCENAME | The DCE principal name defined for this RACF user in the DCE registry. 1 - 1023 characters. | Yes | No | No | No |
DCE_HOMECELL | The DCE cell name defined for this RACF user. 1 - 1023 characters. RACF checks that the HOMECELL name entered has a prefix of either /.../ or /.:/ | Yes | No | No | No |
DCE_HOMEUUID | The DCE universal unique identifier (UUID) for the cell that this user is defined to. The UUID is a 36-character string that consists of numeric and hexadecimal characters. This string must have the delimiter character (-) in positions 9, 14, 19, and 24. The general format for the UUID string is xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx, in which x represents a valid numeric or hexadecimal character. | Yes | No | No | No |
DCE_UUID | The DCE universal unique identifier (UUID) of the DCE principal defined in DCENAME. The UUID is a 36-character string that consists of numeric and hexadecimal characters. This string must have the delimiter character (-) in positions 9, 14, 19, and 24. The general format for the UUID string is xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx, in which x represents a valid numeric or hexadecimal character. | Yes | No | No | No |
DFP | User has DFP segment. | Yes | Yes | Yes | No |
DFP_DATAAPPL | An 8-character DFP data application identifier. | Yes | No | No | No |
DFP_DATACLAS | The default data class. 1-8 characters. | Yes | No | No | No |
DFP_MGMTCLAS | The default management class. 1-8 characters. | Yes | No | No | No |
DFP_STORCLAS | The default storage class. 1-8 characters. | Yes | No | No | No |
EIM | User has EIM segment. | Yes | Yes | Yes | No |
EIM_LDAPPROF | Name of a profile in the LDAPBIND class. The profile in the LDAPBIND class contains the name of an EIM domain and the bind information required to establish a connection with the EIM domain. 1-246 characters. | Yes | No | No | No |
KERB | User has KERB segment. | Yes | Yes | Yes | No |
KERB_ENCRYPT | ENCRYPT values are used to specify which keys are allowed for use based on the encryption algorithm used to generate them. Default values will be provided for any values not specified. Examples: 'DES','DES3' and 'DESD'. | Yes | No | No | Yes |
KERB_KERBNAME | User's local kerberos-principal-name, may contain any characters except '@'. Must not be qualified with a realm name. However, RACF verifies that the local principal name, when fully qualified with the name of the local realm: '/.../local_realm_name/principal_name' does not exceed 240 characters. | Yes | No | No | No |
KERB_KEYVERSION | Current Network Authentication Service key version. | No | No | No | No |
KERB_MAXTKTLFE | The max-ticket-life in seconds, and is represented by a numeric value between 1 and 2147483647. | Yes | No | No | No |
LANGUAGE | User has LANGUAGE segment. | Yes | Yes | Yes | No |
LANGUAGE_PRIMARY | User's primary language. Specified as either an installation-defined name of a currently active language (maximum of 24 characters) or one of the language codes (three characters in length) for a language installed on your system. | Yes | No | No | No |
LANGUAGE_SECONDARY | User's secondary language. Specified as either an installation-defined name of a currently active language (maximum of 24 characters) or one of the language codes (three characters in length) for a language installed on your system. | Yes | No | No | No |
LNOTES | User has LNOTES segment. | Yes | Yes | Yes | No |
LNOTES_SNAME | Lotus Notes for z/OS short-name of the user. 1-64 characters, consisting of alphanumeric characters or '&', '-', '.', '_', and a blank. | Yes | No | No | No |
NDS | User has NDS segment. | Yes | Yes | Yes | No |
NDS_UNAME | Novell Directory Services for OS/390 user-name of the user. 1-246 characters excluding the following characters: '*', '+', '|', '=', ',', '"', '`', '/', ':', ';', '¢', '[', ']' | Yes | No | No | No |
NETVIEW | User has NETVIEW segment. | Yes | Yes | Yes | No |
NETVIEW_CONSNAME | Specifies the default master console station (MCS) console name used for this operator. 1 - 8 character name. | Yes | No | No | No |
NETVIEW_CTL | Indicates whether a security check is performed for this NetView operator when they try to use a span or try to do a cross-domain logon. Allowed values 'GENERAL','GLOBAL' or 'SPECIFIC'. | Yes | No | No | No |
NETVIEW_DOMAINS | Specifies the identifiers of NetView programs in another NetView domain where this operator can start a cross-domain session. Each identifier is 1-5 characters, with valid characters being 0-9, A-Z, #, $, or @. | Yes | No | No | Yes |
NETVIEW_IC | The command or command list (up to 255 characters) to be processed by NetView for this operator when this operator logs on to NetView. | Yes | No | No | No |
NETVIEW_MSGRECVR | Indicates this operator is to receive unsolicited messages that are not routed to a specific NetView operator. | Yes | No | Yes | No |
NETVIEW_NGMFADMN | Indicates a NetView operator has administrator authority to the NetView Graphic Monitor Facility (NGMF). | Yes | No | Yes | No |
NETVIEW_OPCLASS | NetView scope classes for which the operator has authority. Each class is a number from 1 to 2040. | Yes | No | No | Yes |
OMVS | User has OMVS segment. | Yes | Yes | Yes | No |
OMVS_ASSIZEMAX | The RLIMIT_AS hard limit resource value (maximum address space region size) that processes receive when dubbed a process. Integer value between 10485760 and 2147483647. | Yes | No | No | No |
OMVS_CPUTIMEMAX | The RLIMIT_CPU hard limit (maximum) resource value that user's z/OS UNIX processes receive when they are dubbed a process. Numeric value between 7 and 2147483647, indicates the cpu-time in seconds that a process is allowed to use. | Yes | No | No | No |
OMVS_FILEPROCMAX | Maximum number of files this user is allowed to have concurrently active or open. Numeric value between 3 and 524287. | Yes | No | No | No |
OMVS_HOME | User's z/OS UNIX initial directory pathname, 1-1023 characters. | Yes | No | No | No |
OMVS_MEMLIMIT | Specifies the maximum number of bytes of nonshared memory that can be allocated by the user. The nonshared-memory-size you define to RACF is a numeric value between 0 and 16777215, followed by the letter M, G, or T. The M, G, or T letter indicates the multiplier to be used. (M=Megabyte, G Gigabyte, T=Terabyte, P=Petabyte). Maximum value is 16383P. | Yes | No | No | No |
OMVS_MMAPAREAMAX | Maximum amount of data space storage, in pages, that can be allocated by the user for memory mappings of HFS files. Numeric value between 1 and 16,777,216. | Yes | No | No | No |
OMVS_PROCUSERMAX | Maximum number of processes user is allowed to have active at the same time, regardless of how the process became a z/OS UNIX process. Numeric value between 3 and 32767. | Yes | No | No | No |
OMVS_PROGRAM | Specifies the PROGRAM pathname (z/OS UNIX shell program). The first program started when TSO/E command OMVS is entered or when a batch job is started using the BPXBATCH program, 1-1023 characters. | Yes | No | No | No |
OMVS_SHMEMMAX | The maximum number of bytes of shared memory that can be allocated by user. The shared-memory-size you define to RACF is a numeric value between 1 and 16,777,215, followed by the letter M, G, T, or P. The M, G, T, or P letter indicates the multiplier to be used. (M=Megabyte, G Gigabyte, T=Terabyte, P=Petabyte). Maximum value is 16383P. | Yes | No | No | No |
OMVS_THREADSMAX | Maximum number of pthread_create threads, including those running, queued, and exited but not detached, that the user can have concurrently active. Numeric value between 0 and 100000. | Yes | No | No | No |
OMVS_UID | The UID, numeric value between 0 and 2147483647. 'AUTOUID' value can be used when BPX.NEXT.USER profile is defined in the FACILITY class. SHARED value can be used when the SHARED.IDS profile in the UNIXPRIV class is defined. See z/OS Security Server RACF Security Administrator's Guide for details. | Yes | No | No | Yes |
OPERPARM | User has OPERPARM segment. | Yes | Yes | Yes | No |
OPERPARM_ALTGRP | The console group used in recovery. 1-8 characters, with valid characters being 0-9, A-Z, #, $, or @. | Yes | No | No | No |
OPERPARM_AUTH | Authority this console has to issue operator commands. Valid values, 'MASTER', 'ALL', 'INFO' (these three cannot be combined with other values) and 'CONS', 'IO' and 'SYS'. See AlTER USER in z/OS Security Server RACF Command Language Reference for more detailed description. | Yes | No | No | Yes |
OPERPARM_AUTO | Indicates the extended console can receive messages that have been automated by the Message Processing Facility (MPF) in the sysplex. | Yes | No | Yes | No |
OPERPARM_CMDSYS | Indicates the system to which commands issued from this console are to be sent. 1-8 characters, with valid characters being A-Z, 0-9, @ (X'7C'), # (X'7B'), and $ (X'5B'). If * is specified, commands are processed on the local system where the console is attached. | Yes | No | No | No |
OPERPARM_DOM | Indicates whether this console receives delete operator message (DOM) requests. Allowed values 'NORMAL','ALL','NONE'. | Yes | No | No | No |
OPERPARM_HC | Indicates this console is to receive hardcopy messages. | Yes | No | Yes | No |
OPERPARM_INTIDS | Indicates this console is to receive messages directed to console ID 0 (the internal console). | Yes | No | Yes | No |
OPERPARM_KEY | A 1-8 byte character name that can be used to display information for all consoles with the specified key by using the MVS command DISPLAY CONSOLES,KEY. Valid characters are A-Z, 0-9, # (X'7B'), $ (X'5B'), or @ (X'7C'). | Yes | No | No | No |
OPERPARM_LEVEL | Specifies the messages that this console is to receive. Can be a list of R, I, CE, E, IN, NB or ALL. If you specify ALL, you cannot specify R, I, CE, E, or IN. | Yes | No | No | Yes |
OPERPARM_LOGCMDRESP | Indicates if command responses are to be logged. Value of 'SYSTEM' specifies that command responses are logged in the hardcopy log. Value of 'NO' specifies that command responses are not logged. | Yes | No | No | No |
OPERPARM_MFORM | Specifies the format in which messages are displayed at the console. Can be a combination of J, M, S, T, and X. | Yes | No | No | Yes |
OPERPARM_MIGID | Indicates a 1-byte migration ID is assigned to this console. | Yes | No | Yes | No |
OPERPARM_MONITOR | Specifies which information should be displayed when jobs, TSO sessions, or data set status are being monitored. Allowed values, 'JOBNAMES' OR 'JOBNAMEST' (mutually exclusive), 'SESS' or 'SESST' (mutually exclusive) or 'STATUS'. See ALTUSER in z/OS Security Server RACF Command Language Reference for a more detailed description. | Yes | No | No | Yes |
OPERPARM_MSCOPE | Specifies the systems from which this console can receive messages that are not directed to a specific console. Each system-name can be any combination of A-Z, 0-9, #, $, or @. A name of '*' indicates the system on which the console is currently active. | Yes | No | No | Yes |
OPERPARM_ROUTCODE | Routing codes of messages this console is to receive. Valid values are 'ALL' or One or more routing codes or sequences of routing codes. The routing codes can be list of n and n1:n2, where n, n1, and n2 are integers 1-128, and n2 is greater than n1. | Yes | No | No | Yes |
OPERPARM_STORAGE | Amount of storage in the TSO/E user's address space that can be used for message queuing to this console. Valid values are 1 - 2000. | Yes | No | No | No |
OPERPARM_UD | Indicates that this console is to receive undelivered messages. | Yes | No | Yes | No |
OPERPARM_UNKNIDS | Indicates this console is to receive messages directed to console ID 0 (the internal console). | Yes | No | Yes | No |
OVM | User has OVM segment. | Yes | Yes | Yes | No |
OVM_FSROOT | The pathname for the file system root. 1 - 1023 characters. | Yes | No | No | No |
OVM_HOME | The initial directory pathname. 1 - 1023 characters. | Yes | No | No | No |
OVM_PROGRAM | Specifies the PROGRAM pathname. 1 - 1023 characters. First program started when the OPENVM SHELL command is entered. | Yes | No | No | No |
OVM_UID | OpenExtensions VM user identifier, UID. Numeric value between 0 and 2147483647. | Yes | No | No | Yes |
PROXY | User has PROXY segment. | Yes | Yes | Yes | No |
PROXY_BINDDN | The distinguished name (DN) which the z/OS LDAP Server will use when acting as a proxy on behalf of a requester. 1 - 1023 characters. | Yes | No | No | No |
PROXY_BINDPW | Password which the z/OS LDAP Server will use when acting as a proxy on behalf of a requester. 1 - 128 characters. | Yes | No | No | No |
PROXY_LDAPHOST | The URL of the LDAP server which the z/OS LDAP Server will contact when acting as a proxy on behalf of a requester. The URL should be in a format such as ldap://123.45.6:389 10-1023 characters. A valid URL must start with either ldap:// or ldaps:// and is not case-sensitive. | Yes | No | No | No |
TSO | User has TSO segment. | Yes | Yes | Yes | No |
TSO_ACCTNUM | User's default TSO account number when logging on through the TSO/E logon panel (1-39 characters). | Yes | No | No | No |
TSO_COMMAND | Command to be run during TSO/E logon (1 - 80 characters). | Yes | No | No | No |
TSO_DEST | Default destination to which the user can route dynamically allocated SYSOUT data sets. The specified value must be 1-7 alphanumeric characters, beginning with an alphabetic or national character. | Yes | No | No | No |
TSO_HOLDCLASS | User's default hold class. The specified value must be 1 alphanumeric character, excluding national characters. | Yes | No | No | No |
TSO_JOBCLASS | Specifies the user's default job class. The specified value must be 1 alphanumeric character, excluding national characters. | Yes | No | No | No |
TSO_MAXSIZE | Maximum region size user can request at logon. Number of 1024-byte units of virtual storage that TSO can create for the user's private address space. Integer between 0 and 65535 (inclusive) if database is shared with any MVS systems, or 0 through 2096128 if not shared. | Yes | No | No | No |
TSO_MSGCLASS | User's default message class. The specified value must be 1 alphanumeric character, excluding national characters. | Yes | No | No | No |
TSO_PROC | Name of the user's default logon procedure when logging on through the TSO/E logon panel. The name must be 1-8 alphanumeric characters and begin with an alphabetic character. | Yes | No | No | No |
TSO_SECLABEL | User's security label if the user specifies one on the TSO logon panel. | Yes | No | No | No |
TSO_SIZE | Region size - number of 1024-byte units of virtual storage available in user's private address space at logon when user does not request a region size at logon. Integer between 0 and 65535 (inclusive) if database is shared with any MVS systems, or 0 through 2096128 if not shared. | Yes | No | No | No |
TSO_SYSOUTCLASS | User's default SYSOUT class. The specified value must be 1 alphanumeric character, excluding national characters. | Yes | No | No | No |
TSO_UNIT | Default name of a device or group of devices that a procedure uses for allocations. The specified value must be 1-8 alphanumeric characters. | Yes | No | No | No |
TSO_USERDATA | Optional installation data, 4 characters where valid characters are 0 through 9 and A through F. | Yes | No | No | No |
WORKATTR | User has WORKATTR segment. | Yes | Yes | Yes | No |
WORKATTR_WAACCNT | An account number for APPC/MVS processing. 1 to 255 characters. | Yes | No | No | No |
WORKATTR_WAADDR1 | Address Line 1 that SYSOUT information is to be delivered to. 1 to 60 characters. | Yes | No | No | No |
WORKATTR_WAADDR2 | Address Line 2 that SYSOUT information is to be delivered to. 1 to 60 characters. | Yes | No | No | No |
WORKATTR_WAADDR3 | Address Line 3 that SYSOUT information is to be delivered to. 1 to 60 characters. | Yes | No | No | No |
WORKATTR_WAADDR4 | Address Line 4 that SYSOUT information is to be delivered to. 1 to 60 characters. | Yes | No | No | No |
WORKATTR_WABLDG | Building that SYSOUT information is to be delivered to. 1 to 60 characters. | Yes | No | No | No |
WORKATTR_WADEPT | Department that SYSOUT information is to be delivered to. 1 to 60 characters. | Yes | No | No | No |
WORKATTR_WANAME | Name of the user that SYSOUT information is to be delivered to. 1 to 60 characters. | Yes | No | No | No |
WORKATTR_WAROOM | Room that SYSOUT information is to be delivered to. 1 to 60 characters. | Yes | No | No | No |
135 attributes total.
+Group Attributes | |||||
---|---|---|---|---|---|
Attribute Name | Description | Modifiable | Segment | Boolean Attribute | Multi-Value Attribute |
BASE_CREATED | The date this group was defined to RACF. | No | No | No | No |
BASE_DATA | Up to 255 characters of installation-defined data. | Yes | No | No | No |
BASE_GROUPNAME | Name of the group. | No | No | No | No |
BASE_MODEL | Name of a data set profile that RACF is to use as a model when new data set profiles are created that have groupname as the high-level qualifier. | Yes | No | No | No |
BASE_OWNER | RACF userid or groupname of owner of this group. | Yes | No | No | No |
BASE_SUBGROUPS | Groups which have this group as their superior group. | No | No | No | Yes |
BASE_SUPGROUP | Name of the RACF-defined group which is the superior group for this group. | Yes | No | No | No |
BASE_TERMUACC | Indicates during terminal authorization checking, RACF is to allow the use of the universal access authority for a terminal when it checks whether a user in the group is authorized to access a terminal. | Yes | No | Yes | No |
BASE_UNIVERSAL | Specifies that this is a universal group that allows an effectively unlimited number of users to be connected to it for the purpose of resource access. | Yes | No | Yes | No |
DFP | Group has DFP segment. | Yes | Yes | Yes | No |
DFP_DATAAPPL | An 8-character DFP data application identifier. | Yes | No | No | No |
DFP_DATACLAS | The default data class. 1-8 characters. | Yes | No | No | No |
DFP_MGMTCLAS | The default management class. 1-8 characters. | Yes | No | No | No |
DFP_STORCLAS | The default storage class. 1-8 characters. | Yes | No | No | No |
OMVS | Group has OMVS segment. | Yes | Yes | Yes | No |
OMVS_GID | The group id, GID, numeric value between 0 and 2147483647. 'AUTOGID' value can be used when BPX.NEXT.USER profile is defined in the FACILITY class. SHARED value can be used when the SHARED.IDS profile in the UNIXPRIV class is defined. See z/OS Security Server RACF Security Administrator's Guide for details. | Yes | No | No | Yes |
OVM | Group has OVM segment. | Yes | Yes | Yes | No |
OVM_GID | OpenExtensions VM group identifier. The GID is a numeric value between 0 and 2147483647. | Yes | No | No | No |
18 attributes total.
+ +Membership Attributes | |||||
---|---|---|---|---|---|
Attribute Name | Description | Modifiable | Segment | Boolean Attribute | Multi-Value Attribute |
BASE_ADSP | Indicates when user is connected to this group, all permanent tape and DASD data sets created by the user is RACF-protected by discrete profiles. | Yes | No | Yes | No |
BASE_AUDITOR | Indicates the user is to have the group-AUDITOR attribute when connected to this group. | Yes | No | Yes | No |
BASE_AUTHORITY | Specifies the level of authority the user is to have in the group. The valid group authority values are 'USE', 'CREATE', 'CONNECT', and 'JOIN'. | Yes, Not Deletable | No | No | No |
BASE_CONNECT-DATE | Date user was added to group. | No | No | No | No |
BASE_CONNECTS | Number of times the user has entered the system with this group as the current connect group. | No | No | No | No |
BASE_GRPACC | Indicates when the user is connected to this group, any group data sets defined by the user are automatically accessible to other users in the group. | Yes | No | Yes | No |
BASE_LAST-CONNECT | Date user last entered the system using this group as the current connect group. | No | No | No | No |
BASE_OPERATIONS | Indicates user is to have the group-OPERATIONS attribute when connected to this group. The group-OPERATIONS user has authorization to do maintenance operations on all RACF-protected DASD data sets, tape volumes, and DASD volumes within the scope of the group unless the access list for a resource specifically limits the OPERATIONS user to an access authority that is less than the operation requires. | Yes | No | Yes | No |
BASE_OWNER | RACF-defined user or group to be assigned as the owner of the membership (connect profile). Defaults to the user who added user to group. | Yes, Not Deletable | No | No | No |
BASE_RESUME | Date when user's membership in the group will be restored or resumed. | Yes | No | No | No |
BASE_REVOKE | Date when user's membership in the group will be revoked. | Yes | No | No | No |
BASE_REVOKED | User's membership to the group is currently revoked. | No | No | Yes | No |
BASE_SPECIAL | User is to have the group-SPECIAL attribute when connected to this group. | Yes | No | Yes | No |
BASE_UACC | Default value for the universal access authority for new resource profiles the user defines while connected to the group. Valid values are: ALTER, CONTROL, UPDATE, READ, and NONE. | Yes | No | No | No |
14 attributes total.
+ + + diff --git a/zOS-RACF/Downloads/RACFJsec/ShowAttributes.java b/zOS-RACF/Downloads/RACFJsec/ShowAttributes.java new file mode 100644 index 00000000..6732d069 --- /dev/null +++ b/zOS-RACF/Downloads/RACFJsec/ShowAttributes.java @@ -0,0 +1,46 @@ +/* */ +/* Copyright 2023 IBM Corp. */ +/* */ +/* Licensed under the Apache License, Version 2.0 (the "License"); */ +/* you may not use this file except in compliance with the License. */ +/* You may obtain a copy of the License at */ +/* */ +/* http://www.apache.org/licenses/LICENSE-2.0 */ +/* */ +/* Unless required by applicable law or agreed to in writing, */ +/* software distributed under the License is distributed on an */ +/* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, */ +/* either express or implied. See the License for the specific */ +/* language governing permissions and limitations under the License. */ +/* */ +import com.ibm.eserver.zos.racf.userregistry.*; +import com.ibm.security.userregistry.*; + + +public class ShowAttributes { + + + public static void main(String[] args) + { + System.out.print("The point of this program is to demonstrate how simply one can call"); + System.out.print(" RACF_User.attributesHTML, RACF_Group.attributesHTML and RACF_Group.membershipAttributesHTML. "); + System.out.println(" The output should be displayed in a web browser."); + System.out.println(" "); + /////////////////////////////////////////////////////////////////////////////////////////////// + System.out.println("------------- Start of output from RACF_User.attributesHTML------------\n"); + System.out.println(RACF_User.attributesHTML()); + + System.out.println("------------- End of output from RACF_User.attributesHTML------------\n"); + + System.out.println("------------- Start of output from RACF_Group.attributesHTML------------"); + System.out.println(RACF_Group.attributesHTML()); + + System.out.println("------------- End of output from RACF_Group.attributesHTML------------"); + System.out.println("------------- Start of output from RACF_Group.membershipAttributesHTML------------"); + System.out.println(RACF_Group.membershipAttributesHTML()); + + System.out.println("------------- End of output from RACF_Group.membershipAttributesHTML------------"); + + } + +}