To add to this discussion, it is my understanding that when IBM tests new version of z/OS, they do so with the tasks named in the documentation with TRUSTED authority. Since they have TRUSTED, IBM does not determine or document what access authorization the tasks require. If you choose to run z/OS with any of these tasks without TRUSTED, you are doing so in a state IBM has not tested nor provided access authorization guidance; hence, you do so at your own risk and may encounter access authorization issues that could be detrimental to the system. I used to advocate for not using PRIVILEGED or TRUSTED for any tasks but relented once I learned of this for the sake of system availability. I now warn clients whenever I discover any of these tasks running without TRUSTED.
Regards, Bob Robert S. Hansel Lead RACF Specialist RSH Consulting, Inc. 617-969-8211 www.linkedin.com/in/roberthansel www.rshconsulting.com -----Original Message----- Date: Mon, 21 Aug 2023 09:40:20 +1000 From: Andrew Rowley <and...@blackhillsoftware.com> Subject: Re: XCFAS and TRUSTED On 21/08/2023 9:28 am, Lennie Dymoke-Bradshaw wrote: > Secondly, when IBM states that a task should be given the attribute of > Trusted, then I take it to mean that IBM is saying that the task can be > trusted that this attribute cannot be the source of an exposure for that task. I think when IBM says a task should be given trusted, it's a stronger statement than that. I take it to mean that the task should never be denied access by the security system, and any denial of access risks the stability or operation of the system. -- Andrew Rowley Black Hill Software ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN