Yes, I think I understand that now. It was only recently that I found out the APF and AC(1) are even sort of unrelated in a way. I always though that any module performing authorized functionality had to be linked AC(1), but I found that only main routines should be linked AC(1) and that it can even be dangerous to link a module that is not intended to be called as a main routine AC(1).
On Tue, 22 Feb 2022 15:12:35 +0000, Seymour J Metz <[email protected]> wrote: >APF AC(1), program control and UID(0) are mutually unrelated. > > >-- >Shmuel (Seymour J.) Metz >http://mason.gmu.edu/~smetz3 > >________________________________________ >From: IBM Mainframe Discussion List [[email protected]] on behalf of >Erik Janssen [[email protected]] >Sent: Monday, February 21, 2022 3:59 PM >To: [email protected] >Subject: Re: creating a python login module > >Well, the routine I wrote can handle a user, password or passphrase and >optionally an APPL to verify against. >So, even though there are a lot of options to do it different, I was more >looking for ways how such a 'service routine' that needs apf authorization >could be used from a non-authorized caller. >The __passwd routine can do it, but it requires program controlled environment >and python doesn't seem to be defined as program controlled and I don't want >to 'just' enable it. >Also, the relation between APF authorisation and program control (if any) >still eludes me, and if there is no relation then I don't understand how >__passwd can check a password if the environment is not apf authorized. >I hope that someone can explain how that works. > >Kind regards, >Erik. > >On Mon, 21 Feb 2022 15:10:48 +0000, Colin Paice <[email protected]> wrote: > >>Erik, >> >>Do you need to specify a password? >> >>Could you define a RACF profile instead, and use RACF check to see if the >>userid has access to that profile? >>I dont think there is a Callable function for it, but you could write some >>glue code to call an assembler routine to do a RACROUTE call. >> >>You could use an existing class, such as APP. >>I dont think it needs to be APF authorised... but you would need to check >>this. >> >>Colin >> > >---------------------------------------------------------------------- >For IBM-MAIN subscribe / signoff / archive access instructions, >send email to [email protected] with the message: INFO IBM-MAIN > >---------------------------------------------------------------------- >For IBM-MAIN subscribe / signoff / archive access instructions, >send email to [email protected] with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
