Regarding the GSO SAFDEF “NOAPFCHK” parameter, what is the purpose of this parameter? Is it ok to set this parameter, and are there any security concerns in doing so?
search cancel

Regarding the GSO SAFDEF “NOAPFCHK” parameter, what is the purpose of this parameter? Is it ok to set this parameter, and are there any security concerns in doing so?

book

Article ID: 94249

calendar_today

Updated On:

Products

ACF2 ACF2 - DB2 Option ACF2 for zVM ACF2 - z/OS ACF2 - MISC

Issue/Introduction



Regarding the GSO SAFDEF “NOAPFCHK” parameter, what is the purpose of this parameter?  Is it ok to set this parameter, and are there any security concerns in doing so?

Environment

Release:
Component: ACF2MS

Resolution

STATUS=ACCESS is a keyword used in the RACROUTE REQUEST=AUTH security macro. It permits a user to interrogate security definitions (access and resource rules) to determine the access level for a user. No auditing is performed. 

To maintain system integrity, CA ACF2 requires that a user be APF-authorized to access security definitions; however, some products that use STATUS=ACCESS are not APF-authorized when they issue the request. The result is that CA ACF2 abends the task with a S047 from ACF9C000. 

To accommodate products that require to issue a RACROUTE STATUS=ACCESS call from a NON-APF-authorized program/state, CA ACF2 lets the security administrator define the specific calls for which the authorization check for STATUS=ACCESS will be bypassed. This is done with the NOAPFCHK keyword on a SAFDEF record that describes the specific environment from which 
this call is made. 

Use of this parameter results in a less secure system because it allows a user the ability to create a program which can invoke STATUS=ACCESS requests from an unauthorized environment. 

Since no logging is performed a user could exploit the NOAPFCHK to probe for vulnerabilities in the security permissions. STATUS=ACCESS provides the ability to query the security system for the level of access to a given resource.

Details on the GSO SAFDEF can be found section Environments for SAF Calls (SAFDEF) of the ACF2 documentation.