Standards
| Standards / Extensions |
C or C++ |
Dependencies |
|---|
| z/OS® UNIX |
both |
|
Format
#include <unistd.h>
int __check_resource_auth_np( char *principal_uuid,
char *cell_uuid,
char *userid,
char *security_class,
char *entity_name,
int access_type);
General description
The __check_resource_auth_np()
function is used to check the access a user has to an MVS™ resource.
For authorization to use
this function, the caller must have read permission to the BPX.SERVER
Facility class, or if BPX.SERVER is not defined, the caller must be
a superuser (UID=0).
The user
identity can be specified in several forms. The identities are scanned
in the order below, and the access check will be made with the first
identity that is found:
- userid
- principal UUID and if known, a cell UUID
- caller's thread-level (task) security context, if one exists
- caller's process-level (address space) security context
Note: - When no identity is specified by the caller and the caller's task
has an ACEE created with pthread_security_np()for a SURROGATE (non-password)
client, both the task and address space level ACEEs are used in determining
the type of access permitted to a resource.
- The __check_resource_auth_np() function supports the general resources
only. In particular, the security_class parameter can not specify
DATASET. For system using RACF®,
the class name specified must be in the RACF class
descriptor table.
The parameters supported are:
- principal_uuid
- Specifies a 36-byte principal UUID. A value of NULL indicates
that no principal UUID is specified.
- cell_uuid
- Specifies a 36-byte cell UUID. A value of NULL indicates that
no cell UUID is specified.
- userid
- Specifies a user ID. A value of NULL indicates that no user ID
is specified. The userid must be 1-8 characters
in length.
- security_class
- Specifies the name of a class of resources. The access check will
be made on a resource in this security class. The security_class must
be 1-8 characters in length.
- entity_name
- Specifies the name of a resource profile name. The access check
will be made on the resource specified by the resource profile name.
The entity_name must be 1-246 characters
in length.
- access
- Specifies a numeric value that identifies the type of access to
check for. Possible access values are:
- __READ_RESOURCE
- check
if the specified user has read access to the resource.
- __UPDATE_RESOURCE
- check
if the specified user has update access to the resource.
- __CONTROL_RESOURCE
- check
if the specified user has control access to the resource.
- __ALTER_RESOURCE
- check
if the specified user has alter access to the resource.
Returned value
If successful, __check_resource_auth_np()
returns 0.
If unsuccessful, __check_resource_auth_np() returns
-1 and sets errno to one of the following values:
- Error Code
- Description
- EINVAL
- One of the following errors was detected:
- Aaccess_type specified is undefined.
- Userid was not 1 to 8 characters in length.
- Security_class was not 1 to 8 characters in length.
- Eentity_name was not 1 to 246 characters in length.
- EMVSERR
- An MVS internal or environmental
error occurred.
- EMVSSAF2ERR
- One of the following errors was detected:
- Received an unexpected return code for the security product.
- The security product detected an error in the input parameters.
- An internal error occurred in the security product.
- ENOSYS
- One of the following errors was detected:
- No security product is installed on the system.
- The security product does not have support for this function.
- EPERM
- One of the following errors was detected:
- The caller is not permitted to use this service.
- Do not have the access_type specified to the resource.
- Not permitted in address spaces where a load from an unauthorized
library has been performed.
- ESRCH
- One of the following errors was detected:
- No mapping exists between a UUID and Userid.
- The resource specified is not defined to the security product.
- The DCEUUIDS class is not active.
- The userid is not defined to the security product.