There is a third option, but could be the riskiest. Verify that the libraries in the JOBLIB only contain modules from TRUSTED sources, and add them to the APF list.
Wayne Driscoll Product Developer NOTE: All opinions are strictly my own. -----Original Message----- From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of Walt Farrell Sent: Wednesday, August 13, 2008 9:25 PM To: IBM-MAIN@BAMA.UA.EDU Subject: Re: APF authorization question On Thu, 14 Aug 2008 01:05:29 +0000, Ted MacNEIL <[EMAIL PROTECTED]> wrote: >I mean no dis-respect, but we've told the OP: >...snipped... >2. All libraries in a concatenation for STEP/JOB LIB must be authorised, or the whole list is not. > In fairness, though, if this were about losing APF-authorization his unauthorized JOBLIB would not matter (as the module is not in it). However, it's not about APF-authorization, but assignment of PPT attributes, and for that case the JOBLIB does matter. The answer is the same, of course. He can not have that JOBLIB in effect for the DSNUTILB step. He could: (a) remove the JOBLIB, possibly replacing it for other steps in the job with STEPLIB DD statements. Or (b) override the JOBLIB for the DSNUTILB step by providing that step with an APF-authorized STEPLIB. -- Walt Farrell, CISSP IBM STSM, z/OS Security Design ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html