Any process today which can programmatically submit an operator command with the proper authority for that particular command can submit an operator command to add a library name to the APF list, the change from which is immediately effective. Any process today which can programmatically update a system library can update the APF list so that library X.Y.Z will be APF-authorized after the next IPL. Both processes must themselves be treated as if they were APF authorized, meaning they must be tightly controlled as to who can use them. Any process which creates such a process (ATTACH, INTRDR, etc.) must also be tightly controlled. Any process which creates such a process which creates... ad infinitum. Bill Fairchild
----- Original Message ----- From: "John McKown" <[email protected]> To: [email protected] Sent: Monday, November 11, 2013 6:38:27 AM Subject: Re: APF in JCL step I likely don't understand what you really want. But my first thought is "better not be!". APF needs to be _strictly_ controlled and administered. It would be a horrible security hole if somebody could just "at will" run some program as APF authorized which has not be properly set up and vetted. You give me the ability to run my own APF program, and I __OWN__ your system from that moment on. On Mon, Nov 11, 2013 at 5:13 AM, mf db <[email protected]> wrote: > Hello All, > > I am looking for some pointer on a way to APF a Program during JCL run time > alone. Is there a facility within z/OS which helps in Authorizing a > program. > > For example > > //STEP1 EXEC PGM=PLADB2 > //STEPLIB DD DSN=XX.XX.XX,DISP=SHR > > > Z/OS : 1.13 > > Peter > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO IBM-MAIN > -- This is clearly another case of too many mad scientists, and not enough hunchbacks. Maranatha! <>< John McKown ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
