> if it were not designed to be invoked in an authorized environment, it should > not be included in an APF authorized load library
That is a VERY key issue, but I don't believe there is general agreement here on whether that statement is true or not. There seem to be two schools here, which I will paraphrase as 1. As you say above. 2. If it is not AC=1, then its developers did not necessarily intend it to run authorized, and it is the responsibility of any authorized caller to be certain (how?) that calling it authorized will not generate an integrity exposure. Personally, I really like your version because I think (2.) puts a nearly-impossible standard on authorized callers needing "utility" or similar functions such as that provided by IEBCOPY. But many people here insist on 2. Charles -----Original Message----- From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf Of Tom Marchant Sent: Monday, March 16, 2015 12:26 PM To: [email protected] Subject: Re: IEBCOPYO (was: APF-authorized ...) On Mon, 16 Mar 2015 13:57:45 -0500, Paul Gilmartin wrote: >IEBCOPY has been demoted from "APF Authorized" to "Module residing in >an authorized library, marked AC(0), so not designed to be invoked >authorized." ITYM "Does not require authorization when executed as a job step program." Because it is used by SMP/E, which is known to invoke it in an authorized environment, it has to be designed to be invoked in an authorized environment. Furthermore, if it were not designed to be invoked in an authorized environment, it should not be included in an APF authorized load library. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
