As I said, I am not sure about whether I can do the authorized-only thing before the call to Y, or whether it will have to be afterwards. Still doing research and design (obviously!).
MODESET does not reset authorization (so far as I know) and the implication of JSCBAUTH is that it is at the jobstep level. Charles -----Original Message----- From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf Of Robert A. Rosenberg Sent: Sunday, March 15, 2015 9:57 PM To: [email protected] Subject: Re: APF-authorized calling non-authorized At 11:37 -0700 on 03/15/2015, Charles Mills wrote about Re: APF-authorized calling non-authorized: >Okay. I hear you. Here is the business problem. > >I need to develop program X. It must run APF-authorized to do one of >the things it needs to do. I have written APF-authorized programs >before and I more or less know what I am doing. I know enough to ask >(some of?) the right questions and have the proper concerns. > >It also needs to do something we will call "processing A." It just so >happens that there is an IBM program Y that does exactly A. (In fact, >the real purpose of program X is front-ending program Y and doing some >additional things, one of which requires authorization). The IBM >program is >AC=0 in an authorized library. I of course do not have the source for Y >and so cannot inspect it for potential integrity issues. > >What do you suggest? Must I re-write Y from scratch so I may be >relatively certain of its integrity? Once your routine does its authorized thing does it need to remain authorized? If not, then MODESET before the call. Query - If I attach subtask and have it do the MODESET and then the call, will the main task lose its AUTH status? If not then this might be a way to handle the issue. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
