Paul Gilmartin wrote: >"Very bad practice", indeed. And IBM appears to have been unable to repair >the flaw, and settled on building a RACF fence around it.
Indeed. But the RACF fence (FACILITY Class, profile GIM.<whatever>) caused some confusion as observed from past discussions in IBM-MAIN and RACF-L. ... and caused my SMP/E team to jump up and down in tears despite having the right APARS... :-( This is because as documented '... user does not have READ authority to those resources, then SMP/E processing will stop.' Just that. STOP. FULL STOP. Bang! Annoying. Anyways, SMP/E manual told me this (new text from z/OS v1.12) lame story: "However, of all the functions described above, several need to be controlled very carefully. Users who are granted access to these resources have the potential to undermine system security regardless of any data set protections you may have in place. Therefore, they should be as trusted, for example, as users who have authority to update APF authorized libraries. " I could use a more and better explanation about those flaws. Groete / Greetings Elardus Engelbrecht ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
