Using the Search Operation to Perform Resource Checks

You can use a CA LDAP Server search operation to perform authorization checks against the CA ACF2 Security database. Two different authorization checks are available for you to perform:
cszscss
You can use a CA LDAP Server search operation to perform authorization checks against the CA ACF2 Security database. Two different authorization checks are available for you to perform:
 
 
RESCHECK
RESCHECK performs the authorization check and returns success (return code 0) or insufficient access (return code 50). If you are not authorized to the LOG and/or STATUS parameters, then you receive an inappropriate authentication (return code 48).In order to use the LOG and STATUS parameters, the logged in user id must be authorized to the configured class and entity combination. The CA LDAP Server performs one RACROUTE AUTH check for each LOG and STATUS keyword value against the logged in user id per connection to the CA LDAP Server. If more than one RESCHECK is performed with the same LOG and STATUS parameters, then only one AUTH call is issued for the life of the connection. The AUTH call that is issued is logged (LOG=ASIS) and cannot be overridden.
The default class is CALDAP and the entity 
HLQ
 is LDAP. When the resource check is made, the full entity value is 
HLQ
.RESCHK.LOG.
keyword
 and 
HLQ
.RESCHK.STATUS.
keyword
 with an access level of READ. You can change the default class and entity 
HLQ
 that is used with the acfRescheckClass and acfRescheckEntity keywords. For information, see CA ACF2 Configuration Options.
 
Search DN
 
 
Scope
 
 
Search Filter
 
suffix DN
Base
RESCHECK= 
userid
access_level
class
,
entity[, log[, status]] 
 
Where access_level has a value of:
  • READ, UPDATE, CONTROL, or ALTER
Where class has a value of:
  • The class name, if you are performing a resource rule check
  • A value of dataset, if you are performing a dataset rule check
Where log is optional. If used, it has a value of:
  • ASIS, NONE, NOFAIL or NOSTAT (If not specified, the default is ASIS)
Where status is optional. If used, it has a value of:
  • NONE, ERASE, EVERDOM, WRITEONLY or ACCESS (If not specified, the default is NONE)
    This can only be specified is log is specified
For example, to see if a user has read access to the SYS1.* data sets, issue the following command:
ldapsearch -x -D cn=userid-w password -H ldap://127.0.0.1:389 -s base -b host=xe42,o=ca,c=us rescheck=userid,read,dataset,sys1
To see if a user has read access to the SYS1.* data sets, without logging occurring if the user is not authorized, issue the following command:
ldapsearch -x -D cn=userid-w password -H ldap://127.0.0.1:389 -s base -b host=xe42,o=ca,c=us rescheck=userid,read,dataset,sys1,none
RESDATA
RESDATA performs the authorization check and if successful, returns an CA LDAP Server object (objectclass=resdata). The object includes two attributes: acf2userdata and acf2data.
  •  
    acf2userdata
    Contains the data, if any, from the $USERDATA control record of the rule that authorized access.
  •  
    acf2data
    Contains the DATA portion of the rule line that authorized access.
 The $USERDATA and data portions are only returned for resource rule checks. This is specific to the CA LDAP Server and the CAACF2_UTF back end and is not supported with the CADB2 back end.
 
Search DN
 
 
Scope
 
 
Search Filter
 
suffix DN
Base
RESDATA= 
userid
access_level
class
,
 entity
 
Where access_level has a value of:
For data set validation:
  • READ, WRITE, EXECUTE, ALLOCATE, SCRATCH, RENAME, CATALOG
For resource validation:
  • READ, WRITE, ADD, DELETE, UPDATE, EXECUTE, CONTROL, ALTER, CREATE, SCRATCH
Where class has a value of:
  • R followed by the 8-byte class name, if you are performing a resource rule check
  • Supply nothing for this parameter, if you are performing a data set rule check
For example, to see if a user has read access to the SYS1.* data sets, issue the following command:
ldapsearch -x -D cn=userid-w password -H ldap://127.0.0.1:389 -s base -b host=xe42,o=ca,c=us resdata=userid,read,,sys1
The object returned appears as follows:
dn:resdata=userid,read,rdsn,sys1,host=xe42,o=ca,c=us objectclass: resdata resdata: access granted acf2userdata: NONE acf2data: NONE