We are unsure of the GSO SAFDEF “NOAPFCHK” parameter. What is this parameter used for and it is ok to have this set? Are there any security concerns in doing this?

Document ID : KB000094249
Last Modified Date : 03/05/2018
Show Technical Document Details
Question:
We are unsure of the GSO SAFDEF “NOAPFCHK” parameter. What is this parameter used for and it is ok to have this set? Are there any security concerns in doing this?
Answer:
STATUS=ACCESS is a keyword used in the RACROUTE REQUEST=AUTH security macro. It permits a user to interrogate security definitions (access and resource rules) to determine the access level for a user. No auditing is performed. 

To maintain system integrity, CA ACF2 requires that a user be APF-authorized to access security definitions; however, some products that use STATUS=ACCESS are not APF-authorized when they issue the request. The result is that CA ACF2 abends the task with a S047 from ACF9C000. 

To accommodate products that require to issue a RACROUTE STATUS=ACCESS call from a NON-APF-authorized program/state, CA ACF2 lets the security administrator define the specific calls for which the authorization check for STATUS=ACCESS will be bypassed. This is done with the NOAPFCHK keyword on a SAFDEF record that describes the specific environment from which 
this call is made. 

Use of this parameter results in a less secure system because it allows a user the ability to create a program which can invoke STATUS=ACCESS requests from an unauthorized environment. 

Since no logging is performed a user could exploit the NOAPFCHK to probe for vulnerabilities in the security permissions. STATUS=ACCESS provides the ability to query the security system for the level of access to a given resource.

Details on the GSO SAFDEF can be found section Environments for SAF Calls (SAFDEF) of the ACF2 documentation.