How to get RACF information in CICS region

CICS doesn’t supply much access directly to RACF info via the API. But there is a supported way to obtain a lot of RACF information about the current user. And it can be done in plain ol’ COBOL.

EXEC CICS ADDRESS ACEE will provide access to the RACF ACEE control block. (ACEE stands for Access Control Environment Element. Maybe it will come up in a trivia question some day. Probably not. The important thing to know is that it is a block of storage containing RACF information which can be addressed from application programs.) From there, it is possible to easily obtain the user’s primary RACF group and the user’s name (as it is recorded in RACF).

The layout of the ACEE control block is documented in SYS1.MACLIB(IHAACEE). Unfortunately, there is not a COBOL copybook provided, so to access this information in a COBOL program, we have to code our own storage definitions. The following are based on SYS1.MACLIB(IHAACEE):

Define these in Linkage area
01 ACEE.
05 FILLER PIC X(021).
05 ACEEUSRI PIC X(008).
05 FILLER PIC X(001).
05 ACEEGRPN PIC X(008).
05 FILLER PIC X(062).
05 ACEEUNAM-POINTER USAGE IS POINTER.
01 ACEE-USER-NAME.
05 FILLER PIC X(001).
05 ACEEUNAM PIC X(020).

And we need a piece of miscellaneous working storage to hold a pointer:

77 WS-ACEE-ADDR-POINTER USAGE IS POINTER.
Now, if we execute the following, we’ll have the address of the ACEE control block in that pointer:

EXEC CICS
ADDRESS ACEE (WS-ACEE-ADDR-POINTER)
END-EXEC.
And then the following commands will make the RACF information addressable by our storage definitions:

SET ADDRESS OF ACEE TO WS-ACEE-ADDR-POINTER.
SET ADDRESS OF ACEE-USER-NAME TO ACEEUNAM-POINTER.
Now we have the user’s RACF id in ACEEUSRI, the user’s primary RACF group in ACEEGRPN, and the user’s name in ACEEUNAM. Very simple – just a matter of knowing how to address the information.

In a future post, we’ll continue this and see how we can obtain all of the RACF groups to which the user’s RACF id is connected.