APF authorization of the software

For most purposes, the program object library containing zSecure must be APF authorized. APF authorization affects zSecure components in the following ways:

• zSecure Collect can access relevant information
• The following components work only if they are run with APF authorization.
  • The CKGRACF program, a component of zSecure Admin and zSecure Visual
  • zSecure Alert
  • The zSecure Command Execution Utility CKX
  • Access Monitor, an optional function of zSecure Admin
  • The RACF® Exit Activator used by zSecure Audit, Alert, and Access Monitor for zSecure Admin
  • The zSecure Server
• The CKRCARLA program and the zSecure Audit functions can run without APF authorization. However, with this configuration:
  • You cannot directly issue commands.
  • Using a CKFREEZE data set that was created by a non-authorized zSecure Collect program produces incomplete results.
• The data set that contains the ERBSMFI program (by default, SYS1.SERBLINK) must be APF-authorized. The ERBSMFI program itself does not need APF, but zSecure Collect invokes this program, which is not allowed when ERBSMFI resides in a non-APF library. In many installations, SYS1.SERBLINK is part of the linklist and as such APF-authorized, but when the safer LNKAUTH=APFTAB setting is in effect, you must explicitly include SYS1.SERBLINK, or its local equivalent, in the APF-list.