General comments on what is being asked for:
- It appears poster is asking for a way to dynamically elevate
security authority for an ISPF application.
- The elevated security authority is about as high as it gets - With
SECURITY you can do anything you want in an ACF2 system.
- Are you sure you really want to do this? Think about what you are
asking for.
- Lets say you write the code to dynamically turn on SECURITY - How
are you going to secure this so that it is only used for its intended
purpose? Note that this code would have to NOT violate the IBM statement
of integrity (at least its intent). Translation - no one else could use
this code to dynamically obtain SECURITY and do what they want outside
of this single application.........
Given these thoughts I would suggest that you look at other alternatives
- such as using different Logonid's which it appears you discarded as
being not acceptable. Maybe there are other options that you discarded.
Just my .02 cents.
Ray Overby wrote:
ACF2 Security privilege is a combination of RACF SYSTEM SPECIAL +
SYSTEM OPERATIONS
McKown, John wrote:
-----Original Message-----
From: IBM Mainframe Discussion List [mailto:[email protected]] On
Behalf Of Bathmaker, Jon
Sent: Friday, April 23, 2010 10:20 AM
To: [email protected]
Subject: Re: Turning on ACF2 SECURITY Privilege through an exit . . .
Hi Tony,
We want the users to have the SECURITY privilege while they are
using an
ISPF application and ONLY while they are using this app. If we grant
them SECURITY using a command they will have that privilege the next
time they logon to TSO, regardless of the app., and that 'would be
wrong' (as Mr. Nixon said).
Does this explain it ?
Regards,
Jon
Hum, I don't know ACF2. What occurs to me as a __possibility__ is to
have your ISPF application execute a routine via IKJEFTSR interface.
This would invoke an APF authorized (via AC(1) and IKJTSOnn member of
PARMLIB) program. I think that you could pass parameters via the REXX
variable interface, bidirectionally. This routine would be APF
authorized only while it was executing. Depending on what you want to
do, this may give you sufficient authorization to do what you want.
It likely depends on whether you can isolate the section of code
which require SECURITY privilege into a separate module which acts
sort of like a subroutine (and does no ISPF functions).
Unfortunately, I don't know ACF2 at all and can't find anything via
Google that cleared up what "SECURITY privilege" grants to a user.
--
John McKown Systems Engineer IV
IT
Administrative Services Group
HealthMarkets(r)
9151 Boulevard 26 * N. Richland Hills * TX 76010
(817) 255-3225 phone * (817)-961-6183 cell
[email protected] * www.HealthMarkets.com
Confidentiality Notice: This e-mail message may contain confidential
or proprietary information. If you are not the intended recipient,
please contact the sender by reply e-mail and destroy all copies of
the original message. HealthMarkets(r) is the brand name for products
underwritten and issued by the insurance subsidiaries of
HealthMarkets, Inc. -The Chesapeake Life Insurance Company(r),
Mid-West National Life Insurance Company of TennesseeSM and The MEGA
Life and Health Insurance Company.SM
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
