pysear 0.6.0

A unified and standardized interface to RACF callable services.

Security API for RACF (SEAR)

A standardized JSON interface for RACF that enables seamless exploitation by programming languages that have a foreign language interface for C/C++ and native JSON support.

Description

As automation becomes more and more prevalent, the need to manage the security environment programmatically increases. On z/OS that means managing a security product like the IBM Resource Access Control Facility (RACF). RACF is the primary facility for managing identity, authority, and access control for z/OS. There are more than 50 callable services with assembler interfaces that are part of the RACF API. The complete set of interfaces can be found in the IBM documentation.

While there are a number of languages that can be used to manage RACF, (from low level languages like Assembler to higher level languages like REXX), the need to be able to easily exploit RACF management functions using existing industry standard programming languages and even programming languages that don't exist yet is paramount. The SEAR project is focused on making RACF management functions available to all programming languages that have native JSON support and a foreign language interface for C/C++. This will make it easier to pivot to new tools and programming languages as technology, skills, and business needs continue to evolve in the foreseeable future.

Minimum z/OS & Language Versions

All versions of z/OS and the IBM Open Enterprise SDK for Python that are fully supported by IBM are supported by SEAR.

• z/OS Product Lifecycle
• IBM Open Enterprise SDK for Python Product Lifecycle

Dependencies

• R_SecMgtOper (IRRSMO00): Security Management Operations.
  • More details about the authorizations required for IRRSMO00 can be found in the IBM documentation.
• R_Admin (IRRSEQ00): RACF Administration API.
  • More details about the authorizations required for IRRSEQ00 can be found in the IBM documentation.
• R_Datalib (IRRSDL64): RACF Certificate data library.
  • More details about the authorizations required for IRRSDL64 can be found in the IBM documentation.
• RACF Subsystem Address Space: This is a dependency for both IRRSMO00 and IRRSEQ00.
  • More information can be found in the IBM documentation.
• z/OS Language Environment Runtime Support: SEAR is compiled using the IBM Open XL C/C++ 2.1 compiler, which is still fairly new and requires z/OS Language Environment service updates for runtime support.
  • More information can be found in section 5.2.2.2 Operational Requisites on page 9 in the Program Directory for IBM Open XL C/C++ 2.1 for z/OS.

Getting started

:bulb: Note: You can also Download & Install SEAR from GitHub

pip install pysear

Make sure you have the right authorizations, detailed in the full documentation.

How to create a simple userid using SEAR:

from sear import sear

result = sear(
    {
        "operation": "add",
        "admin_type": "user",
        "userid": "FDEGILIO",
        "traits": {
            "base:name": "FRANK D",
        },
    },
)

print(result.result)

Further examples are located under examples in the documentation.

Additional help can be found in the following communities:

• GitHub Discussions
• System Z Enthusiasts discord

Build from source

Alternatively to installing from Pip, SEAR can be built from source on a z/OS system. SEAR uses a CMake build system, and can be built via a two-step process:

cmake --preset <preset>
cmake --build --preset <preset> --target <sear,pysear>

The first command will configure the build environment and generate build scripts in a directory named build/<preset>, then the second command builds the given target.

A complete list of available CMake presets can be found in CMakePresets.json, but the most useful are:

• default - Does not apply any special platform handling, and should work on most platforms.

• zos - Applies the cmake/ibm-clang.cmake toolchain to the build process. This compiles the project using the IBM-Clang compiler, and works only on z/OS systems.

• zos-pysear - Inherits from the zos preset. Used internally as part of the Python package build process, and not generally used by hand.

Build artifacts are located within the build directory.

The CMake build process builds static libraries by default. If you instead wish to build shared libraries, append -DBUILD_SHARED_LIBS=on to the CMake configure step command (the first of the two) shown above.

Maintainers

• Bobby Tjassens Keiser
• Emma Skovgård

Authors of RACFu

This is a fork of RACFu

• Leonard Carcaramo: lcarcaramo@ibm.com
• Elijah Swift: Elijah.Swift@ibm.com
• Frank De Gilio: degilio@us.ibm.com
• Joe Bostian: jbostian@ibm.com