Using the Authorized Debug facility for protected programs

If your users need to use the Dynamic Debug facility to debug programs that are loaded into protected storage (located in subpool 251 or 252), your security administrator must authorize those users to use the Authorized Debug facility. Examples of reentrant programs that are loaded into protected storage are:

Re-entrant programs loaded from an APF authorized library by MVS™
Programs loaded by CICS® into RDSA or ERDSA because RENTPGM=PROTECT

Important: Before you do this task, you must have installed and verified the SVCs.

To authorize users to use the Authorized Debug facility:

Establish a profile for the Authorized Debug Facility in the FACILITY class by entering the RDEFINE command:
```
RDEFINE FACILITY EQADTOOL.AUTHDEBUG UACC(NONE)
```
Verify that generic profile checking is in effect for the class FACILITY by entering the following command:
```
SETROPTS GENERIC(FACILITY)
```
Give a user permission to use the Authorized Debug Facility by entering the following command, where DUSER1 is the name of a RACF-defined user or group profile:
```
PERMIT EQADTOOL.AUTHDEBUG CLASS(FACILITY) ID(DUSER1) ACCESS(READ)
```
Instead of connecting individual users, the security administrator can specify DUSER1 to be a RACF® group profile and then connect authorized users to the group.
In CICS, z/OS® Debugger checks that the region user ID is authorized instead of an individual CICS user ID.
If the FACILITY class is not active, activate the class by entering the SETROPTS command:
```
SETROPTS CLASSACT(FACILITY)
```
Issue the SETROPTS LIST command to verify that FACILITY class is active.
Refresh the FACILITY class by issuing the SETROPTS RACLIST command:
```
SETROPTS RACLIST(FACILITY) REFRESH
```