UUQEX1 is a user-written routine called by the UQ utility program before processing UQ functions requested by the terminal operator. This module defines security restrictions on the use of the various functions.
The UQ utility program is a set of logically related modules, each of which services a specific function (H, R, T, M, O, etc.). Each function requested by a terminal operator is logically processed by a separate module. Each of these modules issues a call to the user-written exit routine UUQEX1 before servicing the requested function. Consequently, you can restrict, permit, or eliminate any or all the UQ functions.
Because the UUQEX1 module is only loaded once per invocation of UQ, internal switches can be set and subsequently referenced. Each new invocation of UQ will load a new version of UUQEX1, causing the switches to be reset.
A dummy UUQEX1 module is distributed with the Com-plete system as a member of the distribution source and load libraries.
Note:
No security exists for UQ functions unless it is established by
you..
This document covers the following topics:
At entry to UUQEX1, a set of parameters is received in the form of fullword addresses in register 1. Word 1 of the parameter list contains the address of a return code area in which the status of the request is to be indicated. Word 2 of the parameter list contains the address of a code indicating the nature of the function being requested.
To define security for a specific function, test for the existence of the appropriate function code, establish the desired level of authorization, and set the return code to indicate acceptance or rejection.
In some cases, if a function is rejected, no security violation is posted at the terminal; the function is simply suppressed. For example, if a user ID is restricted to viewing only SYSOUT in output class A, a request for the Q function of UQ will display only SYSOUT in class A.
As described in the Com-plete Utilities documentation, the UQ utility program recognizes well-defined comment cards as part of the input job stream in order to further define security. One of the comment cards can be used to pass information to UUQEX1, providing additional security criteria at the user level. This comment statement is in the format:
//*UQ USER ...xxx... (z/OS) * *UQ USER ...xxx... (z/VSE)
where xxx can contain any desired information consisting of a maximum of 60 characters. This information is passed to UUQEX1 for all functions issued for the specific job containing the comment statement. With this special JCL comment statement, an installation can impose security not supported by the standard UUQEX1 conventions.
For example, if a password is required for a certain job's SYSOUT/SYSLST to be displayed using the S function of UQ, the user comment statement could be used in order to communicate the password to the exit routine. The exit routine could then prompt the terminal operator for the password and disallow the request if it is not correctly entered.
The following summarizes the UUQEX1 linkage conventions.
- Attributes
AMODE 31
- Type
Thread.
- Size
Restricted to the UQ thread region.
- Registers at Entry
Register 1 Address of the parameter list Register 13 Address of an 18-fullword save area Register 14 Return address in the calling module Register 15 Entry address within UUQEX1 - Registers at Return
Registers 2 through 13 must be unchanged.
- Parameters
Word 1 Address of a return code halfword. The return code is preset according to the security check on the JCL cards before the exit is called. Possible codes:
0 Security check passed. 4 Security check failed. This allows the user exit to override the previous security check by resetting return code 4 to 0. Word 2 Address of a UQ function code:
A Active display C Cancel request D DASD unit display DE Destination routing request H Hold request K Console command request M Console messages display O Opertor reply ID display OC Output class alteration Q Generalized job queue display (once per display request) QL Specific job queue display (once per displayed job) R Release request S Spool display request T Tape display request V DASD volume space display Word 3 Address of the job name (not applicable for the A, D, K, M, O, Q, T, V, C, W and R functions). Word 4 Address of the job number; 32-bit unsigned, binary (not applicable for the A, D, K, M, O, Q, T, V, C, W and R functions). Word 5 Address of the job class code (QL function only). Gives message class in JES2, execution class in JES3. Word 6 Address of the job queue code (QL function only):
I Input queue O Output queue X Executing (HASP and JES2 systems only) P Purge active (HASP and JES2 only) Word 7 Address of the destination code; eight characters, left justified (H, R, C, DE, and QL functions only). Word 8 Address of the spool ID request type (S function only):
CC Condition Code JL JCL on input queue SI Sysin file SM System message file SO Sysout file Word 9 Address of the 60-byte area containing data from the UQ statement (S, H, R, C and DE functions only): //*UQ USER ... (z/OS) * *UQ USER ... (z/VSE)The statement must precede all other UQ comment statements in order to be valid- Return Codes
0 Allow the request. 4 Security violation. - Considerations
Is loaded once per call execution of UQ.