@zMan: SAF, itself, has exits that could be used to make security decisions and even overrule those made by the ESM.
@coasthermit: You experienced what it known as Failsoft processing. RACF itself wasn't disabled but its databases were, so it turns to the operator for approval of every access authorization check. I've only come across one installation that had an exit to do just what you suggest. Regards, Bob Robert S. Hansel 35 years of RACF Experience Lead RACF Specialist RSH Consulting, Inc. 617-969-8211 www.linkedin.com/in/roberthansel www.twitter.com/RSH_RACF www.rshconsulting.com -----Original Message----- Date: Thu, 5 May 2022 05:45:53 +0800 From: coasthermit <[email protected]> Subject: Re: SAF without an ESM Many years back I IPLed my onepak system with RACF disabled to see what happened.Every access of a resource sent a reply prompt to the console for YES/NO.It took a while but I eventually got enough of MVS up that I could logon to TSO/E.I considered writing my own RACF exit that returned OK for every access request, but in the end I just built a default RACF data base for that system to use.Maybe SAF still works the same way. -----Original Message----- Date: Wed, 4 May 2022 12:50:49 -0400 From: zMan <[email protected]> Subject: SAF without an ESM On https://www.ibm.com/docs/en/zos-basic-skills?topic=zos-what-is-saf , IBM says: > System authorization facility or SAF is an interface defined by MVS™ that > enables programs to use system authorization services to control access to > resources, such as data sets and MVS commands. SAF either processes > security authorization requests directly or works with RACF®, or other > security product, to process them. Someone on r/mainframe asks what SAF does without an ESM. I'm thinking "not much", but the last sentence above sort of suggests otherwise--unless "SAF either processes security authorization requests directly" means "returns RC=0 in all cases", in which case it would be accurate but IMHO overly vague. Thoughts? ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
