Spool - Variable &REQ value resolution
search cancel

Spool - Variable &REQ value resolution

book

Article ID: 249974

calendar_today

Updated On:

Products

Spool

Issue/Introduction

We are trying to change the value resolved by &REQ(6,2) in the parameterization member.

However, looking into the manual, we see that &REQ comes from the variable SECREQ in the macro $IQSECPM. 

Environment

Release : 14.0

Component : Spool

Resolution

In the documentation, under Variables:

 . In the following list, each variable is shown as an & (ampersand), followed by a 3-character identification, a zero offset index, and the length.

   Each variable is 8-bytes, but trailing zeros are removed.

&REQ
Indicates the value of SECREQ from the $IQSECPM macro
This identifies which type of request is being checked. The value of &REQ is decimal, as opposed to the values defined in $IQSECPM.

The value of the variable &REQ represents a request an user is attempting to execute. The purpose of inserting these values in the resource definitions is to allow more granularity in the security settings. If you remove the &REQ keyword from the SAFTYPE statement, this granularity is lost. 

SAFTYPEs 15 and 16 are used when USERDEF DEFGROUP=NO is specified. 

This was referred to in the past as "Userid Related View".  

By design, when entering the Printer Menu for the first time, we check access to every group from 1 to MAXGROUP.  In this case, MAXGROUP would be the highest group defined on a Node plus 10.  There are no Node statements in the documentation we have.  

So, in checking access to group 1, if access is denied, we check access to every printer defined in group 1 to determine if the user can see a subset of the nodes defined in group 1 and not all printers in the group. 

Then we move to group 2 and do the same.  We continue until we reach the MAXGROUP group.  

With SAFDEF  NOINT,EXT,CLASS=DATASET:

 . The checks against the external security system are made using security resource authorization calls.

 . These checks access the names of nonexistent data sets. These data set names are also referred to as resource names.

It is not recommended to remove the SAFTYPE statements themselves. They are used when the following parameter is set:

 USERDEF DEFGROUP=NO 

This appears in the ESFPARMs.

This parameter implements what is called userid related view, that is, a userid when issues the P command in the menu to list the printers will only see the printers he has permission to see.

This causes Spool to issue several security calls, one for each group of printers and one for each printer inside the group to create the list of printers to be displayed in the panel.

If the number of groups and printers is too large, this can cause some performance impact. 

Removing this parameter or setting DEFGROUP=YES requires a decision