On Tue, 6 Jul 2010 19:37:15 +0000, Ted MacNEIL <[email protected]> wrote:
>>I wonder if IBM would consider changing that? > >Don't ask me; ask them. > >Of course, a new interface would have to be designed. >RACF already has hooks in OPEN, they would have to put one in ENQ. No, Ted, RACF would not "put one in ENQ." RACF does not have any hooks anywhere. System resource managers decide which functions need security, and implement appropriate calls ( via RACROUTE or callable services) to SAF in order to implement their security needs. Even before SAF, it was still the responsibility of the resource manager to call RACF, via the older macros. Other security products certainly did, and may still, "hook" into the system to provide their functions, but it does not work that way with RACF and never has. We believe that the resource owner, who understands the design of their code, should decide what needs security, and where it is appropriate to provide it. So, if the designers of ENQ feel it is appropriate to provide this security function, they will do so. At most what we in RACF would do is consult with them about how to implement their call, or possibly implement a change in the SAF interfaces if they need some kind of processing we don't already provide. -- Walt Farrell IBM STSM, z/OS Security Design ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
