On Fri, 23 Apr 2010 14:01:38 -0400, Bathmaker, Jon <[email protected]> wrote:
>I wanted an ACF2 exit, not general advice. Thanks. I can only comment in the context of RACF, not ACF2. With RACF there are exits where you could make RACF pretend a user had an extraordinary authority while the exit thinks some application is running. The problem, which is nearly insurmountable, is making sure the exit is right in what it thinks is running. MVS makes it nearly impossible to tell with certainty what is really running, especially in an environment as complex as ISPF. We've faced that many times implementing PROGRAM control and Program Access to Data Sets (PADS) in RACF, and implementing a function like you describe with System Integrity is not simple, if it's possible at all. Implementing it without System Integrity is, of course, rather trivial. But then a clever user has elevated privileges and can use them to do anything he wants, not what you intended. -- Walt Farrell, CISSP IBM STSM, z/OS Security Design ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
