Does SYS1.UADS need to be protected on the system if ACF2 and NOUADS is active?

Document ID : KB000124349
Last Modified Date : 14/01/2019
Show Technical Document Details
Introduction:
SYS1.UADS is a dataset contains the list of users and maybe passwords that can access the mainframe system.  UADS was used for logon before external security managers like ACF2, Top Secret, and RACF were used.
Question:
The system is running with ACF2 and NOUADS, so is protecting SYS1.UADS needed?
Answer:
If ACF2 or any security manager goes belly up, then SYS1.UADS is the only place that would contain an id and password to logon to the system with. Yes, SYS1.UADS should be protected from read, write, and allocate from everyone except the special users, like the main system programmers.  There should also have be a vanilla startup proc if an IPL is needed without the ESM that does not have any ACF2 libraries in LPA or the linklist.