Using EXECUTE access for programs and libraries in ENHANCED mode

This topic addresses only the differences caused by running in ENHANCED program security mode. Refer to More complex controls: Using EXECUTE access for programs or libraries (BASIC mode) for additional information.

Just as with PADS, ENHANCED program security mode puts additional restrictions on the use of execute-controlled programs. It does not matter whether they are execute-controlled because the user has EXECUTE via a PROGRAM profile or via a DATASET profile; RACF® treats both forms of execute-control the same for this purpose.

When running in BASIC program security mode, RACF allows access to execute-controlled programs only when the UACC or access list allowed the access and the user had a clean (controlled) program environment. When running in ENHANCED program security mode, just as with PADS, RACF has an additional requirement. One of the following must be true:

The program that established the current program environment has the MAIN attribute
The current program or the first program executed in the current or a parent MVS™ task has the BASIC attribute