APF and AC(1) are related in that ATTACH RSAPF=YES only tests the AC if the module comes from an authorized concatenation.
Yes, never mark a module as AC(1) unless it is intended to be an authorized jobstep program or an authorized TSO command. -- Shmuel (Seymour J.) Metz http://mason.gmu.edu/~smetz3 ________________________________________ From: IBM Mainframe Discussion List [IBM-MAIN@LISTSERV.UA.EDU] on behalf of Erik Janssen [eaw.jans...@gmail.com] Sent: Tuesday, February 22, 2022 10:49 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: creating a python login module Yes, I think I understand that now. It was only recently that I found out the APF and AC(1) are even sort of unrelated in a way. I always though that any module performing authorized functionality had to be linked AC(1), but I found that only main routines should be linked AC(1) and that it can even be dangerous to link a module that is not intended to be called as a main routine AC(1). On Tue, 22 Feb 2022 15:12:35 +0000, Seymour J Metz <sme...@gmu.edu> wrote: >APF AC(1), program control and UID(0) are mutually unrelated. > > >-- >Shmuel (Seymour J.) Metz >http://mason.gmu.edu/~smetz3 > >________________________________________ >From: IBM Mainframe Discussion List [IBM-MAIN@LISTSERV.UA.EDU] on behalf of >Erik Janssen [eaw.jans...@gmail.com] >Sent: Monday, February 21, 2022 3:59 PM >To: IBM-MAIN@LISTSERV.UA.EDU >Subject: Re: creating a python login module > >Well, the routine I wrote can handle a user, password or passphrase and >optionally an APPL to verify against. >So, even though there are a lot of options to do it different, I was more >looking for ways how such a 'service routine' that needs apf authorization >could be used from a non-authorized caller. >The __passwd routine can do it, but it requires program controlled environment >and python doesn't seem to be defined as program controlled and I don't want >to 'just' enable it. >Also, the relation between APF authorisation and program control (if any) >still eludes me, and if there is no relation then I don't understand how >__passwd can check a password if the environment is not apf authorized. >I hope that someone can explain how that works. > >Kind regards, >Erik. > >On Mon, 21 Feb 2022 15:10:48 +0000, Colin Paice <colinpai...@gmail.com> wrote: > >>Erik, >> >>Do you need to specify a password? >> >>Could you define a RACF profile instead, and use RACF check to see if the >>userid has access to that profile? >>I dont think there is a Callable function for it, but you could write some >>glue code to call an assembler routine to do a RACROUTE call. >> >>You could use an existing class, such as APP. >>I dont think it needs to be APF authorised... but you would need to check >>this. >> >>Colin >> > >---------------------------------------------------------------------- >For IBM-MAIN subscribe / signoff / archive access instructions, >send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > >---------------------------------------------------------------------- >For IBM-MAIN subscribe / signoff / archive access instructions, >send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
