is it ok to Override the default SAFDEF- SAFALL

Document ID : KB000074966
Last Modified Date : 28/03/2018
Show Technical Document Details
Question:
Someone here in the past decided to add SAFDEF GSO records that look like:

SAF00025 JOBNAME=********   USERID=********   PROGRAM=********   RB=********
         RETCODE=4          SAFDEF=GSO        MODE=IGNORE        SUBSYS=****
         FUNCRET=4          FUNCRSN=0                                       

This GSO definition overrides the ACF2-provided SAFALL safdef, which specifies MODE=GLOBAL.
All SAF calls that don't have a safdef to control validation will use this record.
should i continue to run with this safdef or should I use the ACF2 default. 
Answer:
A mode(ignore) override to SAFALL is a security exposure. the default with SAFALL is mode(global) which means to validate anything that is not already included in another safdef. ACF2 philosophy is protection by default. With a mode(ignore) override - that philosophy would be compromised.