> 'Programmers Writing Authorized Applications: Programmers writing authorized > applications (that is, APF-authorized programs) can use the RACROUTE macro > to request security-related services,...'. > > It means, being in APF status, you can do 'privileged' things.
It means that APF-authorized code *should* use RACROUTE requests and avoid doing anything "privileged" on behalf of users that are not defined with sufficient authority. There is also the z/OS Statement of Integrity which aludes to APF-authotization as one of the three authorized states, along with supervisor state and protection key less than 8. > Date: Thu, 9 Sep 2010 08:01:27 -0500 > From: elardus.engelbre...@sita.co.za > Subject: Re: Where is APF documented? > To: IBM-MAIN@bama.ua.edu > > Charles Mills wrote: > > >Thanks. That's certainly better than anything else I found. > > Agreed. Chap 21 is indeed useful, but could be too technical for auditors. > > >But I would really like a formal or fairly formal *definition* of APF > authorization. > > This could be messy as I just found out. May I join you? ;-D > > >Here's a way to re-phrase the question. Suppose an auditor said "show me a > definition of APF authorization and a statement of what it means." Where > would you point him? (No smart answers please.) > > Look at Init and Tuna Ref. I quote this useful statement you can fire of at > your auditors: > > 'The authorized program facility (APF) allows your installation to identify > system or user programs that can use sensitive system functions.' > > Other useful quote from 'Assembler Services Guide': > > 'The authorized program facility (APF) helps your installation protect the > system. APF-authorized programs can access system functions that can > affect the security and integrity of the system.' > > Failing that, research the words 'supervisor state/status', MODESET. > > Other useful quote (yes, I know it is very technical), you can rewrite for > brevity, from 'Security Server RACF Security Administrator's Guide': > > 'Programmers Writing Authorized Applications: Programmers writing authorized > applications (that is, APF-authorized programs) can use the RACROUTE macro > to request security-related services,...'. > > It means, being in APF status, you can do 'privileged' things. > > February 25, 2003, SHARE Session Number: 2889 is also interesting, but very > technical... > > Does this help you? > > Groete / Greetings > Elardus Engelbrecht ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html