Just what does it mean for a program to be running in an authorized state in a z/OS or OS/390 environment?
According to the IBM ABC's of z/OS System Programming - Volume 2 Redbook, "the authorized program facility (APF) is a mechanism offered by z/OS and OS/390 environments to restrict the access to sensitive system functions or user programs. APF was designed to avoid system exposures. Each installation will identify what libraries contain those special functions or programs. Those libraries are then called the APF libraries.
Many system functions, such as entire supervisor calls (SVC) or special paths through SVCs, are sensitive. Access to these functions must be restricted to only authorized programs to avoid compromising the security and integrity of the system.
The operating system considers a program authorized if the program has one or more of the following characteristics:
Runs in a supervisor state
Runs with PSW key 0 to 7
Runs under an APF-authorized job, step, or task."
Does the CA-Datacom MUF require that it be run in an authorized state?
No. However, there is a growing list of features and facilities within the CA-Datacom MUF that require MUF to execute in an authorized state. These features provide significant benefit to most CA-Datacom environments.
What are these current CA-Datacom features and facilities that require the MUF to run authorized?
- PAGEFIX (pre-r11)
- DB Subsystem
- Cross System Coupling Facility (XCF)
- Memory Resident Data Facility (MRDF) using Virtual Storage
- Data Sharing
- Resource Recovery Services (RRS)
- Extended TIOT for dynamic data set allocation (DIAGOPTION 1,8,ON)
- SMFRTY parameter
- NEWCOPY command
- 64 bit capability
- DBUTLTY function REORG
- DBUTLTY function REPORT MEMORY=CF
- Utilizing CA-Datacom security with an external security package
How do I make my MUF run AUTHORIZED?
The MUF is authorized when either: all of the executable libraries in the JOBLIB/STEPLIBs are authorized, or when there are no JOBLIB/STEPLIBs and all of the CA-Datacom modules are accessible from the LNKLST which is also APF authorized.
The MUF detects authorization at startup and, if authorization is not present, issues the following informational message:
DB00210I - MULTI-USER NOT RUNNING AUTHORIZED (pre-r11 SP2)
In r11 SP2, the message will always appear and has been altered to reflect:
DB00210I - MULTI-USER RUNNING AUTHORIZED - xxx
where xxx is YES or NO
What are some of the reasons why an executable library would not be authorized?
- The executable library is not in the LNKLST.
- The executable library is in the LNKLST but the LNKLST is not APF authorized (that is, LNKAUTH=APFTAB in the IEASYSxx was specified).
- The library is not specified on the volume that is reflected in the APF list in SYS1.PARMLIB member IEAAPFxx or PROGxx.
- The library is in a JOBLIB/STEPLIB concatenation, but not all of the libraries in that concatenation are APF authorized.