________________________________ From: Wayne Driscoll <wdri...@us.ibm.com> To: IBM-MAIN@bama.ua.edu Sent: Fri, April 2, 2010 5:12:16 PM Subject: Re: Heads Up: APAR IO11698 - New SAF FACILITY class definition required for any SMP/E use
Paul, Thankfully, APF authorization and system resource access security are 2 separate things. When the OPEN SVC gets invoked, it will perform a RACROUTE REQUEST=AUTH call for the dataset being opened, regardless of the value in JSCBAUTH. The only way that security checks are bypassed is via the NODSI option in the PPT. Now an APF authorized program could switch to key 0 and update various fields so the security system thinks they have more authority than they really should, but that isn't an issue when using a utility, particularly one that is covered under the z/OS statement of integrity. =============================================== Wayne Driscoll OMEGAMON DB2 L3 Support/Development wdrisco(AT)us.ibm.com =============================================== Wayne, I guess we will not talk about IEBCOPY then? Not to get deeply into the discussion I will make a brief observation and then let everyone make up their own mind. OK this was approximately 25 years ago (but still valid today) we had been running MVS for several years. We had a *REALLY* good applications programmer that simply bypassed any and all protections we had, RACF, expiration dates, password protection, doing cross address space snooping and alterations. In short he was a nightmare. Before going to upper management we decided we had to have proof what he was doing . We decided the only possible way to monitor him was with GTF. He was able to bypass even GTF recording for him, he was that good. After 2 or 3 weeks we went to upper management and explained the issue telling him we could not get real proof and the only facility we had left (dumping his address space) was not all that proof proof (legally speaking). The VP talked with us for while and he left it with us that he would have to talk with some lawyers and others. Several weeks later we were in a meeting about something else and the meeting ended and he asked two of us to stay. He said he talked with some IBM people (he was an ex IBMer himself) and some lawyers. He told us his options were limited (it was a treacherous political place in the upper strata). It came down to him letting the subsidiary know that the programmer was no longer welcome on the system. We weren't happy but we asked that he do that as our system availability had gone to pot when ever he was signed on. We were basically behind a brick wall on this. This was before upper management had been taught about RAS. Our VP did ask the subsidiary to restrict his access. They went ballistic and did some threatening up at high corporate level (I learned this a while later). The decision came down that we had to do a hands off on this guy. Fast forward 2 years the company decided to sell of the subsidiary and the guy left the company. He went to work for some MVS product company (sorry do not remember what the name was). We heard that and made sure that our company would never buy a product from them. MVS Security is pretty damn good (excellent in fact) but if you have a smart guy he can bypass any and all MVS logging/security/APF etc etc if he wants to. Ed ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html