Security on z/OS
Previous topic | Next topic | Contents | Glossary | Contact z/OS | PDF

What is the authorized program facility?

Security on z/OS

The authorized program facility or APF is used to allow the installation to identify system or user programs that can use sensitive system functions. To maintain system security and integrity, a program must be authorized by the APF before it can access restricted functions, such as supervisor calls (SVC) or SVC paths. APF helps to avoid integrity exposures; the installation identifies which libraries contain special functions or programs. These libraries are then called APF libraries.

An authorized program can do virtually anything that it wants. It is essentially an extension of the operating system. It can put itself into supervisor state or a system key. It can modify system control blocks. It can execute privileged instructions (while in supervisor state). It can turn off logging to cover its tracks. Clearly, this authorization must be given out sparingly and monitored carefully.

Your installation can use the authorized program facility (APF) to identify system or user programs that can use sensitive system functions. For example, APF allows your installation to:

  • Restrict the use of sensitive system supervisor call (SVC) routines (and sensitive user SVC routines, if you need them) to APF-authorized programs.
  • Allow the system to fetch all modules in an authorized job step task only from authorized libraries, to prevent programs from counterfeiting a module in the module flow of an authorized job step task.

Many system functions, such as supervisor calls (SVCs) or special paths through SVCs, are sensitive. Access to these functions must be restricted to only authorized programs to avoid compromising the security and integrity of the system.

The system considers a task authorized when the executing program has the following characteristics:

  • It runs in supervisor state (bit 15 of the program status word (PSW) is zero).
  • It runs with PSW key 0 to 7 (bits 8 through 11 of the PSW contain a value in the range 0 to 7).
  • All previous programs executed in the same task were APF programs.
APF-authorized programs must reside in one of the following authorized libraries:
  • Authorized libraries specified by your installation.

Authorized libraries are defined in an APF list, or in the link pack area. Any module in the link pack area (pageable LPA, modified LPA, fixed LPA, or dynamic LPA) will be treated by the system as though it came from an APF-authorized library.

The installation must ensure that it has properly protected SYS1.LPALIB and any other library that contributes modules to the link pack area to avoid system security and integrity exposures, just as it would protect any APF-authorized library.

APF also prevents authorized programs (supervisor state, APF-authorized, PSW key 0-7, or PKM 0-7) from accessing a load module that is not in an APF-authorized library.

Copyright IBM Corporation 1990, 2010