Defining programs as MAIN or BASIC
Once you have decided which of your programs to define as MAIN
and which as BASIC (if any), you assign these attributes using the
APPLDATA operand on an RDEFINE PROGRAM or RALTER PROGRAM command.
Specify an APPLDATA value of 'MAIN'
or 'BASIC'
on
the RDEFINE or RALTER command for a PROGRAM profile whose name does
not end with an asterisk (*
). RACF® does not honor the MAIN or BASIC attributes
if the profile name ends in an asterisk, but only honors it for profiles
defining specific programs.
'MAIN'
denotes the program as a MAIN program,
assuming it is invoked as the first program in a job step or through
the TSO/E TSOEXEC command or IKJEFTSR service. 'BASIC'
denotes
the program as one that can access data through PADS, or run EXECUTE-controlled
programs, whether or not it runs within an environment started by
a MAIN program.
A program cannot be both a MAIN and a BASIC program because RACF honors the APPLDATA specification
only if it is 'MAIN'
or 'BASIC'
(possibly
followed by blanks).
Tip: If a program needs both the MAIN and BASIC specifications,
specify BASIC and accept the reduced level of security for all uses
of the program, or create two differently named copies of the program
and protect each separately with PROGRAM profiles, specifying one
as 'MAIN'
and one as 'BASIC'
.
'LPALST'
:RDEFINE PROGRAM LPAPROG ADDMEM('LPALST') APPLDATA('MAIN')
For programs in the link pack area, RACF allows users to execute the program, regardless of the UACC or access list, and RACF treats the program as having the NOPADCHK attribute. Define it in the PROGRAM class only if you need to provide a MAIN or BASIC attribute for it.
- You can optionally specify blanks at the end of the APPLDATA value. RACF considers, for example,
'MAIN'
and'MAIN '
, or'BASIC'
and'BASIC '
as equivalent. - RACF does not validate
the APPLDATA value when you specify it with the RDEFINE or RALTER
command. When RACF is told
to run in ENHANCED program security mode using FACILITY profile IRR.PGMSECURITY,
if RACF reads a PROGRAM profile
defining a specific program and finds that APPLDATA specifies the
'MAIN'
or'BASIC'
values, it assigns the attribute to the program. This is done during the processing of SETROPTS WHEN(PROGRAM) or SETROPTS WHEN(PROGRAM) REFRESH, or during system initialization (IPL). If APPLDATA contains some other value, RACF ignores it without issuing an error message. - When invoking MVS™ load modules
through z/OS UNIX (such
as exec(), exec_mvs(), or an exec where UNIX loads a load module rather than a z/OS UNIX file) the
'MAIN'
setting for a PROGRAM is effective only in limited cases. Specifically, it is effective when the exec() processing results in a new job step task, but not for the local spawn exec() processing because this processing results in the creation of a new subtask rather than a job step task. Consequently, exec() of load module, exec_mvs(), and non-local spawn(), or their z/OS UNIX assembler callable service equivalents, preserve the effect of the MAIN PROGRAM attribute. - When failing a request (or allowing it only due to ENHANCED-WARNING processing), RACF issues a message indicating the source and name of the non-MAIN program or the executable file that established the non-MAIN environment.