------------------------------------<snip>-------------------------------
What are the principal offenders? From an applications viewpoint, I see
(the facilities provided by) IEBCOPY, IDCAMS, TRANSMIT/RECEIVE.
(Others?) I find it bizarre that in a non-APF authorized state I can't
manipulate data or rename data sets for which I have all otherwise
necessary RACF authority.
What relief would be possible?
------------------------------------<unsnip>--------------------------------
APF authorization is intended not only to protect the user from himself,
but also to maintain system integrity. Invoking the wrong service at the
wrong time could be a major disaster for the entire data center. Bear in
mind that APF authorization also allows a programmer to bypass many of
the checks that help maintain integrity, as well as RACF security (or
ACF2 or Top Secret). You can't expect security to be able to distinguish
a System dataset from a User dataset by keeping a table of DSNAMEs,
since we have the option of renaming so many critical system datasets
during installation. So between APF and RACF (et. al.), the system keeps
a fairly tight rein on who does what.
--------------------------------------<snip>--------------------------------------
o Could IEBCOPY be enhanced to operate without APF authorization? What
performance degradation would this involve?
-------------------------------------<unsnip>------------------------------------
IIRC, IEBCOPY uses a couple of fairly sophisticated I/O Appendages in
achieving its stellar performance. These are NOT for the average programmer.
-------------------------------------<snip>----------------------------------
o BPX1EXM appeared tantalizing when it first appeared. But it suffers
the defect of not supporting useful DDNAME allocation. Would an
APF-authorized wrapper invoked via BPX1EXM, allocating data sets
specified by the TSOALLOC environment variable as used by the US^H^H
OMVS command, then calling a target authorized utility be secure and useful?
--------------------------------------<unsnip>----------------------------------
I would question the need.
------------------------------------<snip>------------------------------------
o The new-fangled (z/OS 1.4) Unix Rexx "address TSO" subcommand
environment is a great help in some cases: it runs the TMP in a
separate, presumably secure, address space. Alas, it's available only
when Rexx is spawned from a shell. Would it be possible to access this
environment with a suitable API call to the Rexx interpreter?
-------------------------------------<unsnip>---------------------------------
Here again, I would question the need.
I can't make any form of "detailed" comments on the last two points, due
to my complete lack of experience in these areas. But if a bona-fide
business were presented to IBM, with enough positive response, there
MIGHT be adjustments made or mechanisms developed.
Rick
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
