APF and AC(1) are related in that ATTACH RSAPF=YES only tests the AC if the 
module comes from an authorized concatenation.

Yes, never mark a module as AC(1) unless it is intended to be an authorized 
jobstep program or an authorized TSO command.


--
Shmuel (Seymour J.) Metz
http://mason.gmu.edu/~smetz3

________________________________________
From: IBM Mainframe Discussion List [IBM-MAIN@LISTSERV.UA.EDU] on behalf of 
Erik Janssen [eaw.jans...@gmail.com]
Sent: Tuesday, February 22, 2022 10:49 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: creating a python login module

Yes, I think I understand that now. It was only recently that I found out the 
APF and AC(1) are even sort of unrelated in a way. I always though that any 
module performing authorized functionality had to be linked AC(1), but I found 
that only main routines should be linked AC(1) and that it can even be 
dangerous to link a module that is not intended to be called as a main routine 
AC(1).


On Tue, 22 Feb 2022 15:12:35 +0000, Seymour J Metz <sme...@gmu.edu> wrote:

>APF AC(1), program control and UID(0) are mutually unrelated.
>
>
>--
>Shmuel (Seymour J.) Metz
>http://mason.gmu.edu/~smetz3
>
>________________________________________
>From: IBM Mainframe Discussion List [IBM-MAIN@LISTSERV.UA.EDU] on behalf of 
>Erik Janssen [eaw.jans...@gmail.com]
>Sent: Monday, February 21, 2022 3:59 PM
>To: IBM-MAIN@LISTSERV.UA.EDU
>Subject: Re: creating a python login module
>
>Well, the routine I wrote can handle a user, password or passphrase and 
>optionally an APPL to verify against.
>So, even though there are a lot of options to do it different, I was more 
>looking for ways how such a 'service routine' that needs apf authorization 
>could be used from a non-authorized caller.
>The __passwd routine can do it, but it requires program controlled environment 
>and python doesn't seem to be defined as program controlled and I don't want 
>to 'just' enable it.
>Also, the relation between APF authorisation and program control (if any) 
>still eludes me, and if there is no relation then I don't understand how 
>__passwd can check a password if the environment is not apf authorized.
>I hope that someone can explain how that works.
>
>Kind regards,
>Erik.
>
>On Mon, 21 Feb 2022 15:10:48 +0000, Colin Paice <colinpai...@gmail.com> wrote:
>
>>Erik,
>>
>>Do you need to specify a password?
>>
>>Could you define a RACF profile  instead, and use RACF  check to see if the
>>userid has access to that profile?
>>I dont think there is a Callable function for it, but you could write some
>>glue code to call an assembler routine to do a RACROUTE call.
>>
>>You could use an existing class, such as APP.
>>I dont think it needs to be APF authorised... but you would need to check
>>this.
>>
>>Colin
>>
>
>----------------------------------------------------------------------
>For IBM-MAIN subscribe / signoff / archive access instructions,
>send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>
>----------------------------------------------------------------------
>For IBM-MAIN subscribe / signoff / archive access instructions,
>send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Reply via email to