-----Original Message----- From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf Of Walt Farrell Sent: Tuesday, April 13, 2010 9:44 AM To: [email protected] Subject: Re: Heads Up: APAR IO11698 - New SAF FACILITY class definition required for any SMP/E use
On Tue, 6 Apr 2010 10:39:22 -0500, Walt Farrell <[email protected]> wrote: <SNIPPAGE> Quoting from IO12263: <quote> ...However, of all the functions described above, several need to be controlled very carefully. *Users who are granted access to these resources have the potential to undermine system security regardless of any data set protections you may have in place.* Therefore, they should be as trusted, for example, as users who have authority to update APF authorized libraries. ... [Emphasis and coloring mine] <SNIPPAGE> After some discussion here in the office, we are wondering why SMP/E would be allowed to subvert the protections on data sets (see the bold in the above quote). The discussion came down to this sample: If one only has READ authority to SYS1.LPALIB [or pick one of your favorites for this example], why should SMP/E allow a USERMOD (or one's own cobbled PTF) to that library? Now, if the underlying security product (NOT RACF) allows this access when SMP/E asks, those of us discussing this [here in our offices] don't think this is an IBM integrity issue. And given that we are an ISV, we know we will have to inform our L1/2 persons to be aware of the "SMP/E" error messages that will come out and the questions that will come their way as a result. Regards, Steve Thompson -- Opinions expressed by this poster do not necessarily reflect those of poster's employer -- ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
