<snip>
...SYS1.LPALIB is automatically APF authorized. I believe that the whole
PLPA is APF as well, although we seem to name all the other LPALIBs
explicitly. I'm sure that the CSVAPF macro requires APF to execute. The
entire linklist is APF only if that parameter is coded in PARMLIB,
otherwise each module is evaluated according to its origin.
</snip>
LPALST data sets (SYS1.LPALIB or anything else) are not technically
APF-authorized. But that's because the modules in the data set are
pre-loaded when building PLPA/FLPA. What is true is that modules within
LPA (however they got there) are treated as if they came from an
APF-authorized library.
Thus, when there is a requirement that a module fetch be satisfied from an
APF-authorized library, modules in LPA qualify.
The CSVAPF macro requires SAF authorization (unless the security program
responds with "I do not know") -- APF-authorized is not enough, system key
is not enough, supervisor state is not enough. Of course it's true that if
someone is any of the last 3 they could get into a state (or already be in
a state) where they could manipulate the control structures and accomplish
the function.
The system parameter relevant to the last sentence is LNKAUTH={LNKLST |
APFTAB}. The default is LNKLST. So the last sentence isn't fully true. The
correct statement would be "The entire linklist is treated as
APF-authorized if LNKAUTH=LNKLST is in effect" which becomes "...when
LNKAUTH=APFTAB is not specified". If that system parameter were being
developed "today", the default would likely have been LNKAUTH=APFTAB (it's
typically recognized now as a good idea to have the default tend towards
more-narrow privilege, and let those who need it and have authority to do
so ask for wider privilege. This 40+ year-old default isn't going to
change.
Peter Relson
z/OS Core Technology Design
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
