Using APF to restrict access to system functions

The authorized program facility (APF) allows your installation to identify system or user programs that can use sensitive system functions.

APF:

Restricts the use of sensitive system SVC routines (and sensitive user SVC routines, if you need them) to APF-authorized programs
Allows the system to fetch all modules in an authorized job step task only from authorized libraries, to prevent programs from counterfeiting a module in the module flow of an authorized job step task.

To authorize a program, the installation must first assign the authorization code to the first load module of the program. APF prevents authorized programs from accessing any load module that is not in an authorized library. When the system attaches the first load module of a program, the system considers the program APF-authorized if the module meets both of the following criteria:

The module is contained in an authorized library or resides in the link pack area (pageable LPA, modified LPA, fixed LPA, or dynamic LPA) (see APF-authorized libraries).
The module is link-edited with authorization code AC=1 (to indicate that you want to authorize the job step task). This code is contained in a bit setting in the partitioned data set (PDS) directory entry for the module. For more information about how to assign an authorization code to a module, see Assigning APF authorization to a load module.

If the system does not consider a program APF-authorized when it attaches the first load module, the program cannot become authorized for the life of the job step.

Note: This description applies to batch jobs and started tasks, where the initiator attaches the jobstep task and determines the APF authorization for that jobstep. The TSO/E terminal monitor program (TMP), and UNIX System Services can also run programs with APF authorization, as the initiator does. Other system environments generally do not support running programs with APF authorization.

The authorization code (AC) is meaningful only when the load module resides in an authorized library and runs as the first module of a job step task, or when run by the TSO/E terminal monitor program or UNIX System Services with appropriate configuration parameters. When a program is run with APF authorization, the system verifies that all subsequent modules for that program are contained in authorized libraries or the link pack area (pageable LPA, modified LPA, fixed LPA, or dynamic LPA). If one or more of the programs are not contained in authorized libraries or the link pack area, the system issues abend X'306'.