APF-authorized programs and libraries

The authorized program facility (APF) helps your installation protect the system. APF-authorized programs can access system functions that can affect the security and integrity of the system. APF-authorized programs must reside in APF-authorized libraries, which are defined in an APF list, or in the link pack area. The system treats any module in the link pack area (pageable LPA, modified LPA, fixed LPA, or dynamic LPA) as though it comes from an APF-authorized library. Ensure that you properly protect SYS1.LPALIB and any other library that contributes modules to the link pack area to avoid system security and integrity exposures, just as you protect any APF-authorized library.

Unauthorized programs can issue the CSVAPF macro to:
  • Determine whether or not a library is in the APF list
  • Determine the current format (dynamic or static) of the APF list
  • Obtain a list of all library entries in the APF list

APF also prevents authorized programs (supervisor state, APF-authorized, PSW key 0-7, or PKM 0-7) from accessing a load module that is not in an APF-authorized library. The application development documentation for programmers who use authorized programs provide more information about APF authorization.