Defining programs as MAIN or BASIC

Once you have decided which of your programs to define as MAIN and which as BASIC (if any), you assign these attributes using the APPLDATA operand on an RDEFINE PROGRAM or RALTER PROGRAM command. Specify an APPLDATA value of 'MAIN' or 'BASIC' on the RDEFINE or RALTER command for a PROGRAM profile whose name does not end with an asterisk (*). RACF® does not honor the MAIN or BASIC attributes if the profile name ends in an asterisk, but only honors it for profiles defining specific programs.

'MAIN' denotes the program as a MAIN program, assuming it is invoked as the first program in a job step or through the TSO/E TSOEXEC command or IKJEFTSR service. 'BASIC' denotes the program as one that can access data through PADS, or run EXECUTE-controlled programs, whether or not it runs within an environment started by a MAIN program.

A program cannot be both a MAIN and a BASIC program because RACF honors the APPLDATA specification only if it is 'MAIN' or 'BASIC' (possibly followed by blanks).

Tip: If a program needs both the MAIN and BASIC specifications, specify BASIC and accept the reduced level of security for all uses of the program, or create two differently named copies of the program and protect each separately with PROGRAM profiles, specifying one as 'MAIN' and one as 'BASIC'.

Since RACF restricts usage of PADS and execute-controlled programs to environments established by a MAIN or BASIC program, there might be situations where the program that establishes the environment resides in the system link pack area (LPA, PLPA, FLPA, MLPA, or dynamic LPA). If you need to define such a program to RACF to indicate to RACF that it has the MAIN or BASIC attribute, use a library name of 'LPALST':

RDEFINE PROGRAM LPAPROG ADDMEM('LPALST') APPLDATA('MAIN')

For programs in the link pack area, RACF allows users to execute the program, regardless of the UACC or access list, and RACF treats the program as having the NOPADCHK attribute. Define it in the PROGRAM class only if you need to provide a MAIN or BASIC attribute for it.

Note:

You can optionally specify blanks at the end of the APPLDATA value. RACF considers, for example, 'MAIN' and 'MAIN ', or 'BASIC' and 'BASIC ' as equivalent.
RACF does not validate the APPLDATA value when you specify it with the RDEFINE or RALTER command. When RACF is told to run in ENHANCED program security mode using FACILITY profile IRR.PGMSECURITY, if RACF reads a PROGRAM profile defining a specific program and finds that APPLDATA specifies the 'MAIN' or 'BASIC' values, it assigns the attribute to the program. This is done during the processing of SETROPTS WHEN(PROGRAM) or SETROPTS WHEN(PROGRAM) REFRESH, or during system initialization (IPL). If APPLDATA contains some other value, RACF ignores it without issuing an error message.
When invoking MVS™ load modules through z/OS UNIX (such as exec(), exec_mvs(), or an exec where UNIX loads a load module rather than a z/OS UNIX file) the 'MAIN' setting for a PROGRAM is effective only in limited cases. Specifically, it is effective when the exec() processing results in a new job step task, but not for the local spawn exec() processing because this processing results in the creation of a new subtask rather than a job step task. Consequently, exec() of load module, exec_mvs(), and non-local spawn(), or their z/OS UNIX assembler callable service equivalents, preserve the effect of the MAIN PROGRAM attribute.
When failing a request (or allowing it only due to ENHANCED-WARNING processing), RACF issues a message indicating the source and name of the non-MAIN program or the executable file that established the non-MAIN environment.