To clarify. Inclusion of an unauthorized library in JOBLIB/STEPLIB concatenation makes the entire list unauthorized. That is, the concatenation can *lose* authorization but not gain it. And SYS1.LINKLIB is always APF even if not explicitly named.
. . J.O.Skip Robinson Southern California Edison Company Electric Dragon Team Paddler SHARE MVS Program Co-Manager 323-715-0595 Mobile 626-543-6132 Office ⇐=== NEW [email protected] -----Original Message----- From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf Of Gibney, Dave Sent: Tuesday, December 19, 2017 11:47 PM To: [email protected] Subject: (External):Re: SYS1.LINKLIB and APF (Was: Cobol upgrade 6.2 linklist) No. Unless SYS1.LINKLIB is also explicitly in the APF list, it won't be APF authorized when STEPLIB/JOBLIB'd. For the step to be authorized, all entries in STEPLIB/JOBLIB need to be explicitly authorized. > -----Original Message----- > From: IBM Mainframe Discussion List [mailto:[email protected]] > On Behalf Of Lizette Koehler > Sent: Tuesday, December 19, 2017 3:47 PM > To: [email protected] > Subject: SYS1.LINKLIB and APF (Was: Cobol upgrade 6.2 linklist) > > @Skip > > Taking this discussion a little sideways. > > I seem to remember that if you used SYS1.LINKLIB in a JOBLIB/STEPLIB > concatenation with other non-APF authorized libraries, because it is > SYS1.LINKLIB - the Joblib/Steplib would become APF Authorized whether > they were or not. > > This was due to SYS1.LINKLIB would always be apf authorized by the > operating system. > > Am I remembering this correctly or not? > > Thanks > > Lizette > > > > > -----Original Message----- > > From: IBM Mainframe Discussion List [mailto:IBM- > [email protected]] > > On Behalf Of Jesse 1 Robinson > > Sent: Tuesday, December 19, 2017 3:36 PM > > To: [email protected] > > Subject: Re: Cobol upgrade 6.2 linklist > > > > A linklist data set need not be authorized. If you specify > > LNKAUTH=APFTAB in IEASYSxx, then an application library would be > > authorized only if you created an APF entry for it. Assuming that > > SYS2.PRODLIB is not APF, then there is no more danger in linklisting > > it than > allowing users to STEPLIB to it. > > > > The exposure that my ancient Audit department focused on was devious > > code that could be slipped into production in some random library > > being STEPLIBed to in an individual job. Code like the legendary > > (fairytale?) case of diverting fractions of a cent from accounts > > payable into > a private fund. > > Someone would have to vet the source code, of course, but at least > > there was an audit trail from source to production. > > > > . > > . > > J.O.Skip Robinson > > Southern California Edison Company > > Electric Dragon Team Paddler > > SHARE MVS Program Co-Manager > > 323-715-0595 Mobile > > 626-543-6132 Office ⇐=== NEW > > [email protected] > > > > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, send > email to [email protected] with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
