How does that interact with ICSF CHECKAUTH that forces security checks for authorized address spaces?
Rob On Thu, Jul 26, 2018, 9:56 PM Paul Gilmartin < [email protected]> wrote: > On Thu, 26 Jul 2018 22:13:01 -0300, Clark Morris wrote: > > >[Default] On 26 Jul 2018 16:54:23 -0700, (Walt Farrell) wrote: > > > >>On Thu, 26 Jul 2018 09:54:48 -0500, Tom Marchant wrote: > >> > >>>> > >>>>I believe there is one exception to that, unless the behavior has been > changed in the past few years: as I recall, OPEN for a > >>>>VSAM file will bypass security checking if the issuer of OPEN is > running in supervisor state. I think it's documented (briefly) > >>>>deep in some manual, but I forget which one. > >>> > >>>See the last sentence: > >>> > https://www.ibm.com/support/knowledgecenter/SSLTBW_2.3.0/com.ibm.zos.v2r3.idad400/ods.htm > >>> > >>>"Note: RACF protection supersedes password protection for a data set. > RACF checking is bypassed for a caller that is in supervisor state or key > 0." > >>> > >> > >>Thanks, Tom. And, note, for those who may not follow the link, that that > statement is for VSAM only. > > > >Why would they exclude only VSAM from checking? Is it because of Page > >Datasets or some other reason? Are there other ways of bypassing or > >ignoring checking for supervisor and key zero code? > > > My conjecture is that the VSAM address space itself performs the needed > check. > > -- gil > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO IBM-MAIN > -- Rob Schramm ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
