I don't think SMPE's APF attribute is the root of the problem. There are numerous APF programs that are safely usable by users with extremely variable privileges and authorities (e.g., IEBOPY, AMASPZAP, and Binder).
I think the real problem is the fact that SMPE somehow "abuses" APF to bypass normal security checks for some of its processing. Until IBM decides to correct that (removing APF seems like it would be effective but also seems like overkill), an equitable solution that addresses the needs of both sysprogs and non-sysprogs is likely to be elusive. :>: -----Original Message----- :>: From: IBM Mainframe Discussion List [mailto:[email protected]] On :>: Behalf Of Ed Jaffe :>: Sent: Wednesday, July 24, 2013 8:00 AM :>: To: [email protected] :>: Subject: Re: SMP/E vs. NON SMPE Installs (Was BLKSIZE=3120) :>: :>: On 7/23/2013 5:21 PM, Paul Gilmartin wrote: :>: > On Tue, 23 Jul 2013 17:58:16 -0600, Roger Bolan wrote: :>: > :>: >> Application programmers should be able to use SMP/E. :>: :>: [snip] :>: :>: > A voice of reason. And it was safe, or at least believed to be safe, :>: until :>: > IO11698/IO12263. :>: :>: This would make a good SHARE requirement. The goal should be to remove :>: APF authorization from SMP/E and, at the same time, remove the SAF :>: checking that was recently introduced to limit who could use SMP/E. :>: :>: Originally, SMP/E required authorization only because IEBCOPY required :>: it. Now that IEBCOPY no longer requires authorization (as of z/OS 1.13), :>: it would seem easy to remove the AC(1) binder attribute from SMP/E. :>: Right? No so fast! It's entirely possible that additional features were :>: added to SMP/E over the years that work only because it's APF :>: authorized. If so, those features will need to be identified and :>: additional development will be required to find a way to provide similar :>: function from unauthorized SMP/E. :>: :>: Clearly, someone at IBM needs to work on this. SMP/E should go back to :>: being a utility that anyone can use--just just a privileged few. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
