IBM z/OS Debugger Authorization

IBM z/OS® Debugger 17.0.0 allows system programmers to limit debugging of modules and/or programs under surrogate users and modules by defining certain SAF/RACF profiles.

To restrict debug access to the load module MODULE1, define a profile EQAAUTH.MODULE.MODULE1 of class FACILITY and universal access NONE. To allow a certain user to debug MODULE1, give the user READ access to that profile.
To restrict debug access to the program running under surrogate id STCUSR1 define a profile EQAAUTH.USER.STCUSR1 of class FACILITY and universal access NONE. To allow a certain user to debug such a program, give the user READ access to that profile.
Note: The user is allowed to debug programs running under their own id, no user profile check is done in this case.

In both cases, non-existent profile means debugging is allowed.

Note: Certain security products return access=NONE for undefined profiles, thus a user appears to be unauthorized to debug a program. If you use such a product, define generic profiles EQAAUTH.MODULE.* and EQAAUTH.USER.* with universal access READ.

Authorization is supported for MVS modules and not supported for z/OS Unix programs.

Example: Forbid anyone except IBMUSER to debug MODULE1

RDEFINE FACILITY EQADTOOL.AUTH.MODULE.MODULE1 UACC(NONE)

PERMIT EQADTOOL.AUTH.MODULE.MODULE1 CLASS(FACILITY) ACCESS(READ) ID(IBMUSER)

SETROPTS RACLIST(FACILITY) REFRESH