You can use one of the following methods to restrict the use of
sensitive SVC routines to authorized callers:
- Specify the APF=YES parameter on the SVCUPDTE macro, or specify
APF(YES) in the IEASVCxx parmlib member. With this specification in
place, a X'047' abend results if an unauthorized program tries
to access the restricted SVC.
- Insert the TESTAUTH macro at appropriate locations in an SVC routine
to return the caller's authorization. Then the SVC routine can restrict
either the entire routine or particular paths through the routine
to authorized callers.
When using TESTAUTH to return the caller's
authorization, test only the criteria (supervisor state, PSW key 0-7,
APF authorized or any combination of the three) that you consider
essential. TESTAUTH returns an indication of whether the calling
program meets any of the three criteria. For example, various system
functions use TESTAUTH to make the following distinctions:
- The caller is running in supervisor state, PSW key 0-7, or both.
- The caller is an APF-authorized task.
- Either a or b.
The TESTAUTH macro is not used to test the use of I/O appendages,
which are instead controlled through the IEAAPP00 parmlib member.
(See the description of this member in z/OS MVS Initialization and Tuning Reference.)