On Wed, 4 May 2022 12:50:49 -0400, zMan <zedgarhoo...@gmail.com> wrote: >Someone on r/mainframe asks what SAF does without an ESM. I'm thinking "not >much", but the last sentence above sort of suggests otherwise--unless "SAF >either processes security authorization requests directly" means "returns >RC=0 in all cases", in which case it would be accurate but IMHO overly >vague. Thoughts?
Your instincts on "not much" is on point. You can read all about the SAF interface in Appendix D of the RACROUTE Macro Reference. Without an ESM, SAF will "defer" to the caller. How the caller treats a deferral is up for grabs. If, like TSO, the caller has a secondary authentication/authorization mechanism (e.g. SYS1.UADS), then all is not lost. But if the app/subsystem is entirely dependent on the ESM, all security decisions will [should] be "denied" or it should attempt to engage a human. Alan Altmark IBM z/VM Consultant ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN