Are you guys saying APF authorized should be dynamically turned on or off based on type of usage
Scott ford www.identityforge.com from my IPAD 'Infinite wisdom through infinite means' > On Nov 11, 2013, at 8:40 AM, Greg Schmeelk <[email protected]> wrote: > > What could go wrong, John? It isn't like there a modules set up for all > the major security products that can give specific users unlimited access > to all data on a system, right? :-) > > I'm with you, dynamic authorization shouldn't be treated the way it > appears that the original poster wishes to use it. > > My (rare) two cents, > > Greg Schmeelk | Sr Systems Programmer | Lowell, AR > > > > > > > > From: John McKown <[email protected]> > To: [email protected], > Date: 11/11/2013 07:34 AM > Subject: Re: APF in JCL step > Sent by: IBM Mainframe Discussion List <[email protected]> > > > > Yes, it it certainly possible to open a system up to the world by allowing > z/OS operator commands via JCL. Which is why we have OPERCMDS set up to > restrict the SETPROG z/OS command to tech services people only. And we > don't allow "in stream" (JCL) submission of z/OS operator commands. Yes, > we > have a program which can issue an operator command via JCL as in "//DOCMD > EXEC PGM=ZOSCMD,PARM='D A,L' ". But that resides in a restricted APF > library which "normal" people can't even READ. > > > Yes, I have a touch of terminal paranoia! <grin/> > > >> On Mon, Nov 11, 2013 at 7:13 AM, DASDBILL2 <[email protected]> wrote: >> >> Any process today which can programmatically submit an operator command >> with the proper authority for that particular command can submit an >> operator command to add a library name to the APF list, the change from >> which is immediately effective. >> Any process today which can programmatically update a system library can >> update the APF list so that library X.Y.Z will be APF-authorized after > the >> next IPL. >> >> Both processes must themselves be treated as if they were APF > authorized, >> meaning they must be tightly controlled as to who can use them. Any >> process which creates such a process (ATTACH, INTRDR, etc.) must also be >> tightly controlled. Any process which creates such a process which >> creates... ad infinitum. >> >> Bill Fairchild > -- > Another case of too many mad scientists and not enough hunchbacks. > > Maranatha! > John McKown > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO IBM-MAIN > > > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
