is it ok to Override the default SAFDEF- SAFALL

book

Article ID: 74966

calendar_today

Updated On:

Products

CA ACF2 CA ACF2 - DB2 Option CA ACF2 for zVM CA ACF2 - z/OS CA ACF2 - MISC

Issue/Introduction



Someone here in the past decided to add SAFDEF GSO records that look like:

SAF00025 JOBNAME=********   USERID=********   PROGRAM=********   RB=********
         RETCODE=4          SAFDEF=GSO        MODE=IGNORE        SUBSYS=****
         FUNCRET=4          FUNCRSN=0                                       

This GSO definition overrides the ACF2-provided SAFALL safdef, which specifies MODE=GLOBAL.
All SAF calls that don't have a safdef to control validation will use this record.
should i continue to run with this safdef or should I use the ACF2 default. 

Environment

Release:
Component: ACF2MS

Resolution

A mode(ignore) override to SAFALL is a security exposure. the default with SAFALL is mode(global) which means to validate anything that is not already included in another safdef. ACF2 philosophy is protection by default. With a mode(ignore) override - that philosophy would be compromised.