Recommendations for system portion of library list

This topic provides the recommendations for the system portion of the library list.

The system portion of the library list is intended for IBM-supplied libraries. Application libraries that are carefully controlled can also be placed in the system portion of the library list. The system portion of the library list represents the greatest security exposure, because the libraries in this part of the list are searched first.

Only a user with *ALLOBJ and *SECADM special authority can change the QSYSLIBL system value. Control and monitor any changes to the system portion of the library list. Follow these guidelines when adding libraries:

Only libraries that are specifically controlled should be placed on this list.
The public should not have *ADD authority to these libraries.
A few IBM-supplied libraries, such as QGPL are shipped with public authority *ADD for production reasons. Regularly monitor what objects (particularly programs, source files, and commands) are added to these libraries.

The CHGSYSLIBL command is shipped with public authority *EXCLUDE. Only users with *ALLOBJ authority are authorized to the command, unless you grant authority to other users. If the system library list needs to be changed temporarily during a job, you can use the technique described in the topic Changing the system library list.