The difference is that TSO (and ISPF) runs in problem state and the jobstep is unauthorized.
In batch, when executing a program linked AC(1) that comes from a valid APF authorized library, then the entire jobstep is considered authorized. TSO must jump through a few hoops to attempt to provide a safe way of invoking the authorized program - this involves having a parallel authorized jobstep TMP task and suspending all TCBs on the non-authorized "leg" while the authorized code is executing. Hence the various tables in TSO (and ISPF) to define these special circumstance commands (or programs) that can run authorized. Throw into the ring, the confusion that can occur with TSOLIB and ISPLLIB (and STEPLIB) - it can get messy to code applications and debug problems in this area - especially when your code is running on other people's systems. Rob Scott Lead Developer Rocket Software 77 Fourth Avenue . Suite 100 . Waltham . MA 02451-1468 . USA Tel: +1.781.684.2305 Email: rsc...@rs.com Web: www.rocketsoftware.com -----Original Message----- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Leonardo Vaz Sent: 04 March 2014 15:51 To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: ISPF storage protection True, I have never understood that either, gil. It might more to do with executing the program in the appropriate TCB than a security exposure. Leo -----Original Message----- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Paul Gilmartin Sent: Tuesday, March 04, 2014 10:25 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: ISPF storage protection On Tue, 4 Mar 2014 08:54:43 -0500, Shmuel Metz (Seymour J.) wrote: >In <9819019940159674.wa.paulgboulderaim....@listserv.ua.edu>, on >03/03/2014 > at 06:14 PM, Paul Gilmartin <paulgboul...@aim.com> said: > >>I have no idea why APF authorized library and link edit with AC=1 >>alone don't suffice. > >Because it would be a major security breach. > That doesn't tell me much. Why? How? Would it be any less a security breach to invoke such a program from JCL with "EXEC PGM=..." which likewise causes it to run in the authorized state? -- gil ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN