On Fri, 26 Jan 2018 12:35:05 +0200 ITschak Mugzach <[email protected]> wrote:
:>No sure, Binyamin. :>A "need to know" is security rule of thumb. Why should a programmer or any :>other tso user which datasets are APF authorized, which are specified in :>LPA or Linlist? BTW, IBM recognized that this is a security issue and an :>ISPF panel is displayed requires YES to proceed. While need to know is valid, putting bars an alarms on the door when the wall can simply be walked around does nothing. The APF list is available to a problem state program. Disassembly does not require special privileges. Thus "securing" these function will only fool people. Don't protect the program - protect the data. A RFE to place the names of the APF datasets in protected storage and require SAF to use the API to retrieve them would be logical. :>ITschak :> :>On Fri, Jan 26, 2018 at 11:11 AM, Binyamin Dissen < :>[email protected]> wrote: :> :>> As this information is available to unprivileged programs, using SAF to :>> secure :>> it does not protect system integrity and is silly. :>> :>> On Fri, 26 Jan 2018 01:43:25 -0600 Andrew Metcalfe :>> <[email protected]> wrote: :>> :>> :>If you have a moment please review my RFE for ISPF's ISRDDN/DDLIST :>> function below. :>> :>> :>In summary it asks for SAF protection for some of the sub-functions such :>> as APF/DISASM etc. :>> :>> :>If you think it is a valid request please vote. :>> :>> :>If you think it's mad, please tell my auditors :-). :>> :>> :>http://www.ibm.com/developerworks/rfe/execute? :>> use_case=viewRfe&CR_ID=115532 :>> :>> -- :>> Binyamin Dissen <[email protected]> :>> http://www.dissensoftware.com :>> :>> Director, Dissen Software, Bar & Grill - Israel :>> :>> :>> Should you use the mailblocks package and expect a response from me, :>> you should preauthorize the dissensoftware.com domain. :>> :>> I very rarely bother responding to challenge/response systems, :>> especially those from irresponsible companies. :>> :>> ---------------------------------------------------------------------- :>> For IBM-MAIN subscribe / signoff / archive access instructions, :>> send email to [email protected] with the message: INFO IBM-MAIN :>> -- Binyamin Dissen <[email protected]> http://www.dissensoftware.com Director, Dissen Software, Bar & Grill - Israel Should you use the mailblocks package and expect a response from me, you should preauthorize the dissensoftware.com domain. I very rarely bother responding to challenge/response systems, especially those from irresponsible companies. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
