Yes. My mistake. I should have said AUTHTSF. Lennie Dymoke-Bradshaw | Security Lead | RSM Partners Ltd Web: www.rsmpartners.com ‘Dance like no one is watching. Encrypt like everyone is.’
-----Original Message----- From: IBM Mainframe Discussion List <[email protected]> On Behalf Of Walt Farrell Sent: 04 December 2019 21:38 To: [email protected] Subject: Re: [IBM-MAIN] AUTHPGM in IKJTSOxx On Wed, 4 Dec 2019 01:28:39 +0000, Lennie Dymoke-Bradshaw <[email protected]> wrote: >Jesse / Skip, > >This is actually defined as being a requirement in "DFSMS Access Method >Services Commands" SC23-6846-30. See Page 6, or just search for AUTHCMD >and you will quickly find it. It states the following, > >"To use IDCAMS and some of its parameters from TSO/E, your system programmer >must update the system by one of these means: >. Update the IKJTSOxx member of SYS1.PARMLIB. This is the method that IBM >recommends. Add IDCAMS to the list of authorized programs (AUTHPGM). If you >want to use SHCDS, SETCACHE, LISTDATA, DEFINE or IMPORT from TSO/E, add them >(and abbreviations) to the authorized command list(AUTHCMD). >. Update the IKJEGSCU CSECT instead of IKJTSOxx, see z/OS TSO/E Customization >for more information." > >This does not introduce the exposure that placing IDCAMS into AUTHPGM does. >Several forms of DEFINE require APF authorisation. There is no exposure, today, with having IDCAMS in the AUTHPGM list. There was, I believe, in the distant past before the AUTHTSF list was created. There would be an exposure putting IDCAMS in the AUTHTSF list. For more: https://www.ibm.com/support/knowledgecenter/en/SSLTBW_2.1.0/com.ibm.zos.v2r1.ikjb700/ikjb700_Program_Authorization_and_Isolation.htm -- Walt ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
