I thought this must be the case but wanted to check. This is indeed how the product I am working on is set up: the top-level job step module is AC=1, the rest not.
Thanks Robin -----Original Message----- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Tony Harminc Sent: 18 May 2017 23:23 To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: ATTACH with RSAPF=YES On 18 May 2017 at 08:56, Robin Atwood <abend...@gmail.com> wrote: > What is the situation of a module that is loaded from an authorised > library but was linked with AC=0? Is it authorised? Can it get authorised? > Modules are not authorized. Job steps are authorized. If you are able to get your job step from an unauthorized to an authorized state using IBM supplied facilities, IBM promises to fix it so you can't. And probably pretty quickly. I don't mean to sound pedantic about this. There is indeed an important distinction between modules marked AC(1) and those not, when they live in an authorized library. Nothing prevents an AC(0) module from being loaded from such a library by an authorized job step, and given control in an authorized state. This is the normal situation. The only modules that should be marked AC(1) are those that are intended to be invoked as the initial program of a job step, which typically means EXEC PGM= in JCL, or CALL in TSO. (TSO has additional requirements to make CALL invoke a program in an authorized state.) Such modules must be prepared to deal safely with their environment, parms, and input data and not compromise system integrity, because any user can invoke them with any parms and input. Modules that are intended to run authorized, but to be invoked only by other code running authorized, may not need such general protection against malicious invokers. Tony H. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
