I was around as a sysprog in 1990-1992 around the time that IBM introduced the major security improvements to MVS/ESA 3.1.3 and RACF 1.9.2.
At the time IBM reps explained that SAF was responsible for various actions taken early in the life of MVS. It handled the concepts of label dominance and reverse dominance. This is largely associated with security using SECLABELs in RACF parlance. In general security issues prior to the commencement of an ESM still need to be handled. That is the responsibility of SAF. I'd really welcome an IBM voice to verify or correct my statements above. Lennie Dymoke-Bradshaw https://rsclweb.com ‘Dance like no one is watching. Encrypt like everyone is.’ -----Original Message----- From: IBM Mainframe Discussion List <[email protected]> On Behalf Of zMan Sent: 05 May 2022 16:47 To: [email protected] Subject: Re: SAF without an ESM Well, sure, you can write your own ESM. But that's not SAF doing anything itself. Same applies to exits, mentioned elsewhere. As written, that graf sounds like SAF itself will do some security checking, OR you can buy an ESM and do more. On Wed, May 4, 2022 at 1:25 PM Charles Mills <[email protected]> wrote: > My impression is that it does whatever you want it to do! That is, it > either permits everything, or you get to write your own rules; write > your own ESM, essentially. You need to write the part that SAF calls, > and of course you also need to come up with some sort of > administration, some way to configure what you have written. > > Charles > > > -----Original Message----- > From: IBM Mainframe Discussion List [mailto:[email protected]] > On Behalf Of zMan > Sent: Wednesday, May 4, 2022 9:51 AM > To: [email protected] > Subject: SAF without an ESM > > On https://www.ibm.com/docs/en/zos-basic-skills?topic=zos-what-is-saf > , IBM > says: > > > System authorization facility or SAF is an interface defined by MVS™ > > that enables programs to use system authorization services to > > control access > to > > resources, such as data sets and MVS commands. SAF either processes > > security authorization requests directly or works with RACF®, or > > other security product, to process them. > > > Someone on r/mainframe asks what SAF does without an ESM. I'm thinking > "not much", but the last sentence above sort of suggests > otherwise--unless "SAF either processes security authorization > requests directly" means "returns > RC=0 in all cases", in which case it would be accurate but IMHO overly > vague. Thoughts? > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, send > email to [email protected] with the message: INFO IBM-MAIN > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, send > email to [email protected] with the message: INFO IBM-MAIN > -- zMan -- "I've got a mainframe and I'm not afraid to use it" ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
