Re: Heads Up: APAR IO11698 - New SAF FACILITY class definition required for any SMP/E use

Wed, 07 Apr 2010 05:50:36 -0700 

Over the years, in multiple shops, I have come across multiple sysprogs that
have created new APF libraries. As you say, it is needed to perform their
job. However, ensuring that those libraries were appropriately protected may
not have been their job (perhaps it should have been, but that is a
different issue). After many months or years, it was discovered that those
APF libraries did not have appropriate protection. One can argue that
company had poor procedures, or not enough staff, etc. which should be
addressed, or you could provide a facility to mitigate the situation.

The mere fact that a library is APF authorized implies that you probably
only what highly trusted people updating it. If you could put your highly
trusted people on the access list of just one profile that protected all APF
libraries that would help reduce the human error factor or the don't care
factor. It does mean higher overhead, but protecting APF libraries is
important. Of course, if you have good procedures that are always followed,
you don't need this kind of feature. Human error (and it's not my job) is
really hard to eliminate. The new hire who does not know or understand your
naming standard can introduce a hole.

CSVAPF protects who can change the APF list. That is different from
protecting the content of the APF libraries. What I had suggested was method
to allow you to protect (with a single profile) all currently APF authorized
libraries from unauthorized update or access regardless of its name, volume,
etc. In other words, even if you had DATASET ALTER authority to a APF
library, you could not update it unless you also had UPDATE to the special
APF profile. Of course, this added protection does not apply while the
libraries are not in the APF list or from another system with a different
APF list. Obviously my suggestion was not bullet proof and had a few holes. 

I think the RACF administrator can and should ask about new APF libraries.
Not whether the library is needed, but whether it is appropriately
protected. 

Don Williams

-----Original Message-----
From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf
Of R.S.
Sent: Wednesday, April 07, 2010 2:42 AM
To: IBM-MAIN@bama.ua.edu
Subject: Re: Heads Up: APAR IO11698 - New SAF FACILITY class definition
required for any SMP/E use

Don Williams pisze:
[...]
> A fair number of years ago I submitted a DCR suggesting that customers
> should have an optional facility to control access to APF libraries. I
don't
> remember the details I suggested. 

Well, what control did you suggest, at least in general?
I ask, because there are CSVAPF.nnnn profiles (CSV*.** in general) in 
the FACILITY class. For 10+ years. Of course we still have regular 
DATASET control along with AUDIT(ALL) - to trace activities of persons 
who have authorization.



> Perhaps it was CLASS(FACILITY)
> 'APF.data-set-name' or maybe a new class CLASS(APFLIB) 'data-set-name'. 

Looks quite similar to CSVAPF.libname CL(FACILITY).


> In
> either case, the profile would apply to all APF libraries, in addition to
> their normal RACF profiles. APF libraries would have some protection, even
> if they had no regular data set profile. 


> A profile like CLASS(APFLIB) **
> UACC(READ) would prevent updates to all APF libraries, but allow
execution.
DATASET profiles already provide such control. UPDATE allows changes, 
while read allows read and execution. Why do you think that something 
else is needed? Just curious.



BTW: (this only my observation, YMMV)
I noticed that CSV*.** profiles are rarely used (never used in fact). 
Maybe the reason is that APF/LNKLST/LPA changes are done by sysprogs, 
and in fact RACF admin has no reason to ask "why" when a sysprog wants 
to change any of the lists. The answer would be "because it's my job, 
I'm installing ABC product".

-- 
Radoslaw Skorupka
Lodz, Poland


--
BRE Bank SA
ul. Senatorska 18
00-950 Warszawa
www.brebank.pl

Sd Rejonowy dla m. st. Warszawy 
XII Wydzia Gospodarczy Krajowego Rejestru Sdowego, 
nr rejestru przedsibiorców KRS 0000025237
NIP: 526-021-50-88
Wedug stanu na dzie 01.01.2009 r. kapita zakadowy BRE Banku SA (w
caoci wpacony) wynosi 118.763.528 zotych. W zwizku z realizacj
warunkowego podwyszenia kapitau zakadowego, na podstawie uchway XXI WZ z
dnia 16 marca 2008r., oraz uchway XVI NWZ z dnia 27 padziernika 2008r.,
moe ulec podwyszeniu do kwoty 123.763.528 z. Akcje w podwyszonym
kapitale zakadowym BRE Banku SA bd w caoci opacone.

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Reply via email to