> 'Programmers Writing Authorized Applications: Programmers writing authorized
> applications (that is, APF-authorized programs) can use the RACROUTE macro
> to request security-related services,...'.
>
> It means, being in APF status, you can do 'privileged' things.
It means that APF-authorized code *should* use RACROUTE requests and avoid
doing anything "privileged" on behalf of users that are not defined with
sufficient authority.
There is also the z/OS Statement of Integrity which aludes to APF-authotization
as one of the three authorized states, along with supervisor state and
protection key less than 8.
> Date: Thu, 9 Sep 2010 08:01:27 -0500
> From: elardus.engelbre...@sita.co.za
> Subject: Re: Where is APF documented?
> To: IBM-MAIN@bama.ua.edu
>
> Charles Mills wrote:
>
> >Thanks. That's certainly better than anything else I found.
>
> Agreed. Chap 21 is indeed useful, but could be too technical for auditors.
>
> >But I would really like a formal or fairly formal *definition* of APF
> authorization.
>
> This could be messy as I just found out. May I join you? ;-D
>
> >Here's a way to re-phrase the question. Suppose an auditor said "show me a
> definition of APF authorization and a statement of what it means." Where
> would you point him? (No smart answers please.)
>
> Look at Init and Tuna Ref. I quote this useful statement you can fire of at
> your auditors:
>
> 'The authorized program facility (APF) allows your installation to identify
> system or user programs that can use sensitive system functions.'
>
> Other useful quote from 'Assembler Services Guide':
>
> 'The authorized program facility (APF) helps your installation protect the
> system. APF-authorized programs can access system functions that can
> affect the security and integrity of the system.'
>
> Failing that, research the words 'supervisor state/status', MODESET.
>
> Other useful quote (yes, I know it is very technical), you can rewrite for
> brevity, from 'Security Server RACF Security Administrator's Guide':
>
> 'Programmers Writing Authorized Applications: Programmers writing authorized
> applications (that is, APF-authorized programs) can use the RACROUTE macro
> to request security-related services,...'.
>
> It means, being in APF status, you can do 'privileged' things.
>
> February 25, 2003, SHARE Session Number: 2889 is also interesting, but very
> technical...
>
> Does this help you?
>
> Groete / Greetings
> Elardus Engelbrecht
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
