On Wed, 3 Aug 2016 09:39:01 -0700, retired mainframer <[email protected]> wrote:
>> -----Original Message----- >> From: IBM Mainframe Discussion List [mailto:[email protected]] On >> Behalf Of Lizette Koehler >> Sent: Wednesday, August 03, 2016 8:07 AM >> To: [email protected] >> Subject: Re: Adding Module to a empty APFed Library >> >> Just a note. Auditors hate it when we have an APF list entry with no >> dataset. Makes them >> cringe. > >I wonder why. The only time it would have any effect is if something is added >to it. Adding to an empty APF library is hardly different than adding to a >populated one. > >Did they ever discuss what additional exposure they thought it created? If the data set exists, you can verify how it is protected and ensure that only appropriate users can update it. If the data set does not exist, then you have to worry about two things: (1) Who can create it, which is harder to determine than figuring out who can access a data set that already exists; and (2) Will it be protected properly when someone does create it. Additionally, if the data set exists you can examine the modules in it and check for various security/integrity exposures, such as inappropriate modules having AC(1). You can't do that for a data set that doesn't yet exist. -- Walt ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
