is it ok to Override the default SAFDEF- SAFALL
search cancel

is it ok to Override the default SAFDEF- SAFALL


Article ID: 74966


Updated On:


ACF2 ACF2 - DB2 Option ACF2 for zVM ACF2 - z/OS ACF2 - MISC


Someone here in the past decided to add SAFDEF GSO records that look like:

SAF00025 JOBNAME=********   USERID=********   PROGRAM=********   RB=********
         RETCODE=4          SAFDEF=GSO        MODE=IGNORE        SUBSYS=****
         FUNCRET=4          FUNCRSN=0                                       

This GSO definition overrides the ACF2-provided SAFALL safdef, which specifies MODE=GLOBAL.
All SAF calls that don't have a safdef to control validation will use this record.
should i continue to run with this safdef or should I use the ACF2 default. 


Component: ACF2MS


A mode(ignore) override to SAFALL is a security exposure. the default with SAFALL is mode(global) which means to validate anything that is not already included in another safdef. ACF2 philosophy is protection by default. With a mode(ignore) override - that philosophy would be compromised.