On Thu, 14 Jul 2011 15:15:58 -0500, Walt Farrell <[email protected]> wrote:
>On Thu, 14 Jul 2011 14:22:46 -0500, Mark Zelden <[email protected]> wrote: > >>On Thu, 14 Jul 2011 14:37:29 -0400, Mark Jacobs <[email protected]> >>wrote: >> >>>I asked IBM specifically whether the then new SAF profiles were used >>>while using the query functions in the SMP/E ISPF interface and their >>>answer was no. >>> >> >>(I hate mixing top posting and bottom posting, so I snipped the prior >>context ... sorry. Also changed the subject). >> >>If that is true, it sounds inconsistent with what the enhancement is >>doing (unless things like LIST and REPORT aren't protected). So >>you protect the LIST command, but don't specifically protect the >>ISPF libraries because the HLQs are SYS1 and everyone has read >>access to SYS1. Then someone can just execute the ISPF interface >>and do the equivalent of LIST. > >It is true. > >Remember that the SMP/E enhancement was made to close a system integrity >exposure, which existed because SMP/E runs authorized. > >The query function via the ISPF panels does not run authorized, and does not >participate in the integrity exposure, and so did not need that enhancement. > >And in any case, because the query function does not run authorized, if we had >put a security check in it to allow control of the query function it would not >be fully effective; a somewhat clever user would be able to bypass it. > Ah yes. Thanks for the reminder of what the intended purpose was and clarification on why it isn't needed nor implemented for ISPF query. Mark -- Mark Zelden - Zelden Consulting Services - z/OS, OS/390 and MVS mailto:[email protected] Mark's MVS Utilities: http://www.mzelden.com/mvsutil.html Systems Programming expert at http://expertanswercenter.techtarget.com/ ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
