I think that the likelihood of SDSF removing protection for the APF command in the next release is exactly zero.
There are a few points, I would like to make: (1) SDSF historically has provided protection for all of its non-trivial commands and the dynamic construction of the user interface is based on security decisions. SDSF users expect there to be a security resource for any new command that displays data. Granting carte-blanche access to a whole ream of commands (old or new) in a new release would be incompatible with previous behaviour. (2) SDSF has to cope with cross-system requests - it is very possible that the user might not have access to certain SDSF commands on non-local systems. (3) SDSF data collection runs in a authorized state and it does not have to be re-engineered to provide secure protection of functionality. ISRDDN runs as a key-8 problem state ISPF program and to convert it to securely protect its functionality would be a non-trivial amount of development effort. Rob Scott -----Original Message----- From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf Of Walt Farrell Sent: Monday, January 29, 2018 7:19 PM To: [email protected] Subject: Re: RFE For ISRDDN/DDLIST to further protect system integrity On Mon, 29 Jan 2018 20:03:11 +0200, ITschak Mugzach <[email protected]> wrote: >To summerise rob's and Walt's argument, the security applied to apf >panel in sdsf was a mistake and i believe ibm will remove it in next release... There are some possible distinction between SDSF and ISRDDN, though. First, SDSF already provides highly granular controls that are intended both for security and simply for customization, and it would seem strange to IBM's customers for an SDSF function not to have such controls, given the other controls that have already been present. Second, I think that SDSF has the ability to provide information from more than one system. ISRDDN is only giving you information from the current system, I think. It's true that it makes no sense to protect the function in ISRDDN because anyone can simply look in storage to see the information. But SDSF may deserve more protection as it can show you information from systems that you're not allowed to logon to, and thus can't inspect directly. Having said that, I no longer have access to internal IBM discussions and really don't know much about the history of SDSF controls for its APF panel and the rationale for providing them. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN ================================ Rocket Software, Inc. and subsidiaries ■ 77 Fourth Avenue, Waltham MA 02451 ■ Main Office Toll Free Number: +1 855.577.4323 Contact Customer Support: https://my.rocketsoftware.com/RocketCommunity/RCEmailSupport Unsubscribe from Marketing Messages/Manage Your Subscription Preferences - http://www.rocketsoftware.com/manage-your-email-preferences Privacy Policy - http://www.rocketsoftware.com/company/legal/privacy-policy ================================ This communication and any attachments may contain confidential information of Rocket Software, Inc. All unauthorized use, disclosure or distribution is prohibited. If you are not the intended recipient, please notify Rocket Software immediately and destroy all copies of this communication. Thank you. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
