Charles, What we did in a similar situation was have the front-end program perform only those tasks that needed to be APF-authorized and then turn off its APF-authorization and call the remaining programs that did not need authorization.
I believe the latest version of MVS Planning: Security is circa 1984. Regards, Bob Robert S. Hansel Lead RACF Specialist RSH Consulting, Inc. 617-969-8211 www.linkedin.com/in/roberthansel http://twitter.com/RSH_RACF www.rshconsulting.com ----------------------------------------------------------------------- 2014-2015 RACF Training - Audit & Compliance Roadmap - Boston - APR 21-24, 2015 - Intro & Basic Admin - WebEx - JUN 22-26, 2015 ----------------------------------------------------------------------- -----Original Message----- Date: Sun, 15 Mar 2015 11:37:30 -0700 From: Charles Mills <charl...@mcn.org> Subject: Re: APF-authorized calling non-authorized Okay. I hear you. Here is the business problem. I need to develop program X. It must run APF-authorized to do one of the things it needs to do. I have written APF-authorized programs before and I more or less know what I am doing. I know enough to ask (some of?) the right questions and have the proper concerns. It also needs to do something we will call "processing A." It just so happens that there is an IBM program Y that does exactly A. (In fact, the real purpose of program X is front-ending program Y and doing some additional things, one of which requires authorization). The IBM program is AC=0 in an authorized library. I of course do not have the source for Y and so cannot inspect it for potential integrity issues. What do you suggest? Must I re-write Y from scratch so I may be relatively certain of its integrity? The only alternative I see is calling (LINK, etc.) Y from X. I agree with you. While we can be relatively confident that Y does nothing "bad" intentionally its authors presumably never intended it to run authorized. They may have said "oh, don't worry about that -- it will ABEND if anyone tries to do THAT" and that assumption will no longer be valid. Suggestions? No, there does not appear to be a V2R1 manual called MVS Planning: Security. Charles ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN