I missed the "authorized" part the first time around. I don't think anyone has mentioned the TSOEXEC command. It runs an authorized command (authorized) from an unauthorized environment. (No, I didn't leave out a blank. TSOEXEC is the full 7 character command name. Google it.)
OREXXMan Q: What do you call the residence of the ungulate with the largest antlers? A: A moose pad. :-D Would you rather pass data in move mode (*nix piping) or locate mode (Pipes) or via disk (JCL)? Why do you think you rarely see *nix commands with more than a dozen filters, while Pipelines specifications are commonly over 100s of stages, and 1000s of stages are not uncommon. REXX is the new C. On Wed, Aug 24, 2022 at 1:08 PM Walt Farrell <walt.farr...@gmail.com> wrote: > On Mon, 22 Aug 2022 16:16:06 -0500, Paul Gilmartin <paulgboul...@aol.com> > wrote: > > >Why is there an AUTHPGM NAMES list at all? Why shouldn't it just be > > * (everything) > >??? > > > >I can imagine several reasons: Even some authorized programs might not > >be trusted not to modify the WAITing TSO task (IKJEFTT09?), perhaps by > >ALLOCATE REUS of a file TSO uses. Or by modifying TSO storage. Or > >by monopolizing a scarce resource (such as a tape drive) during > programmers' > >think time. BTDT; alas no distinction is made between real tapes and > virtual > >tapes which are more likely to be plentiful. > > > >Is the motive one of these, or something similar? > > I cannot provide a definitive answer to that, as I was not involved in any > of the design for that function. > > I can, though, guess that they did not want to assume that every > APF-authorized program would behave properly when invoked authorized but in > an unexpected environment, and therefore chose to restrict them unless IBM > or a customer had specifically listed them as "safe". > > > > >This feels like something that should be programmer-specific , such as a > RACF > >profile allowing Lizette but not me the facility. > > > > I don't see a need for saying "program X can run APF-authorized under TSO > if Lizette runs it, but not if Paul runs it. That is not a function that > exists when you run a program in batch, for example, and if it were to be > meaningful in TSO it would also be meaningful in batch. > > You can control which users can run which programs (PROGRAM control in > RACF, though that came later than AUTHPGM), and if an APF-authorized > program is doing something that should be restricted further, it can do its > own restource checking (as AMASPZAP does when zapping a VTO). > > -- > Walt > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN