IBM z/OS Debugger Authorization

IBM® z/OS® Debugger v17.0.0 defines certain SAF/RACF profiles and allows system programmers to limit debug access to load modules, compilation units, and programs run by surrogate user ids.

To restrict debug access to the load module MODULE1, define a profile EQAAUTH.MODULE.MODULE1 of class FACILITY and universal access NONE. To allow a certain user to debug MODULE1, give the user READ access to that profile.
To restrict debug access to the compilation unit CU1, define a profile EQAAUTH.CU.CU1 of class FACILITY and universal access NONE. To allow a certain user to debug CU1, give the user READ access to that profile. To obtain the list of compilation unit names inside the load module use DESC LOADMOD command in the debug console.
To restrict debug access to the program running under surrogate id STCUSR1 define a profile EQAAUTH.USER.STCUSR1 of class FACILITY and universal access NONE. To allow a certain user to debug such a program, give the user READ access to that profile.
Note: You can debug programs that runs under your own id, user profile check is not done in this case.

In all cases, non-existent profile means debugging is allowed.

Note: Certain security products return access=NONE for undefined profiles, thus a user appears to be unauthorized to debug a program. If you use such a product, define generic profiles EQAAUTH.MODULE.*, EQAAUTH.CU.**, and EQAAUTH.USER.* with universal READ access.

Module-level authorization is supported for MVS modules and not supported for z/OS Unix programs. We recommend you to use CU-level authorization for z/OS Unix programs.

Example: Forbid anyone except IBMUSER to debug MODULE1.

RDEFINE FACILITY EQAAUTH.MODULE.MODULE1 UACC(NONE)

PERMIT EQAAUTH.MODULE.MODULE1 CLASS(FACILITY) ACCESS(READ) ID(IBMUSER)

SETROPTS RACLIST(FACILITY) REFRESH