On Fri, 2 Apr 2010 10:41:36 +0000, Bob Shannon wrote: >We applied the APAR. We protect the SMP data. I'm sort of baffled why IBM felt >SAF support was necessary for SMPE. > <Grrr> Me either. And since it's called "integrity", we'll never know.
Apparently SMP/E took the easy way out: rather than take the admittedly tedious step of putting suitable SAF checks at all points where SMP/E accesses resources, SMP/E shifted the burden to systems adminstrators who can use only the relatively coarse granularity of permitting access to a certain command to a certain user regardless of which resources it may access. GIMZIP? Gimme a break! All GIMZIP does is invoke IEBCOPY and pax(1). Doesn't IEBCOPY have its own SAF checks? (I surely hope so.) And isn't pax constrained by the normal Unix file permissions and ACLs? Or did the perceptibly capable SMP/E designers simply succumb to ignorant pressure from administrators who chant, "SMP/E is an administrative tool (like ADRDSSU). Use of administrative tools must be restricted to administrators!" What is becoming of the philosophy, "Protect resources; don't restrict access to tools." </Grrr> >Since we are a development shop in which dozens of people use SMPE, we simply >set the access to UACC(READ) which gives everyone access to all of the SMP/E >commands. > Us too. I've put in the request. -- gil ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html