Assigning the RACF TRUSTED attribute

You can use RACF® to assign the TRUSTED attribute to key started procedures and address spaces. Doing so generally allows the started procedure or address space to bypass RACF authorization checking and to successfully access or create any resource it needs.

A trusted started procedure or address space is treated as a z/OS® UNIX superuser if a z/OS UNIX user identifier (UID) is assigned to it in the OMVS segment, even when the assigned UID is not 0.

Guidelines:
  • Assign the TRUSTED attribute when one of the following conditions applies:
    • The started procedure or address space creates or accesses a wide variety of unpredictably named data sets within your installation.
    • Insufficient authority to an accessed resource might risk an unsuccessful IPL or other system problem.
  • Avoid assigning TRUSTED to a z/OS started procedure or address space unless it is listed here or you are instructed to do so by the product documentation.
Assign the TRUSTED attribute to the following z/OS started tasks and address spaces:
  • CATALOG
  • CEA for z/OSMF ISPF applications
  • DUMPSRV
  • HIS
  • IEEVMPCR
  • IOSAS
  • IXGLOGR
  • JES2 or JES3
  • JESXCF
  • JES3AUX
  • LLA
  • NFS
  • RACF
  • RMF™
  • RMFGAT
  • SMF
  • SMSPDSE1
  • TCPIP
  • VLF
  • VTAM®
  • WLM
  • XCFAS
  • SMS
Optional candidates for the TRUSTED attribute include the following:
  • APSWPROA, APSWPROB, APSWPROC, APSWPROM, or APSWPROT
  • CEA (optional for everything except z/OSMF ISPF applications)
  • DFHSM
  • DFS
  • GPMSERVE
  • OMVS
  • SMSVSAM
  • zFS

For more information, see "Associating started procedures and jobs with user IDs" in z/OS Security Server RACF System Programmer's Guide, and "Using Started Procedures" in z/OS Security Server RACF Security Administrator's Guide.

Parent topic: System tailoring