Sounds like an APF list problem rather than AUTHPGM ... remember that in APF list both dsname and volser is specified, so a poorly managed list with "extra" volser entries (often used for DR testing for example) could result in the "clever user" finding an unused but live entry and can thus create his own dataset on the specified volser, thereby becoming APF authorized. Very high impact defect in your z/OS configuration if this is the case, and needing remedy asap. A thorough review of your APF datasets and their status would be a good idea, before you chase a defect in AUTHPGM.
On Thu, Nov 14, 2019 at 1:56 AM Jeffrey Holst < [email protected]> wrote: > Does AUTHPGM require that the specified program have a non-zero AC or that > it be in an APF authorized library? > > I ask because it appears that a very clever user may have written a > program whose name matches a program in the AUTHPGM list. The program > executes a macro instruction that requires APF authorization. It appears > that he was able to successfully call it from TSO. > > If this is the case, is there a way to secure this. If this is not > supposed to work this way, this would seem to be an integrity issue that is > worthy of a PMR. > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO IBM-MAIN > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
