Using APF to restrict access to system functions
The authorized program facility (APF) allows your installation to identify system or user programs that can use sensitive system functions.
- Restricts the use of sensitive system SVC routines (and sensitive user SVC routines, if you need them) to APF-authorized programs
- Allows the system to fetch all modules in an authorized job step task only from authorized libraries, to prevent programs from counterfeiting a module in the module flow of an authorized job step task.
- The module is contained in an authorized library or resides in the link pack area (pageable LPA, modified LPA, fixed LPA, or dynamic LPA) (see APF-authorized libraries).
- The module is link-edited with authorization code AC=1 (to indicate that you want to authorize the job step task). This code is contained in a bit setting in the partitioned data set (PDS) directory entry for the module. For more information about how to assign an authorization code to a module, see Assigning APF authorization to a load module.
The authorization code (AC) is meaningful only when the load module resides in an authorized library and runs as the first module of a job step task, or when run by the TSO/E terminal monitor program or UNIX System Services with appropriate configuration parameters. When a program is run with APF authorization, the system verifies that all subsequent modules for that program are contained in authorized libraries or the link pack area (pageable LPA, modified LPA, fixed LPA, or dynamic LPA). If one or more of the programs are not contained in authorized libraries or the link pack area, the system issues abend X'306'.