Protecting z/OS System Datasets

It’s important to keep your z/OS system datasets protected. The table below, sets the advised security UACC settings to many of the system datasets.

For system data sets that are listed in with a UACC greater than NONE, you might prefer to specify UACC(NONE) and create an access control list (ACL) entry providing the access.

Dataset UACC
APF libraries NONE
Checkpoint data sets NONE
Distribution library data sets NONE
ISPF panel libraries READ
JES2 offload data sets NONE
Load libraries READ
Master catalog READ
Page data sets NONE
PSF secure font data sets NONE
PSF secure overlay data sets NONE
PSF secure page segment data sets NONE
RACF Databases (primary, backup and any copies) NONE
RMF data sets NONE
Security definitions data sets NONE
SMP data sets NONE
Swap data sets NONE
SYS1.AMACLIB READ
SYS1.AMODGEN READ
SYS1.ASAMPLIB READ
SYS1.BRODCAST READ
SYS1.CMDLIB READ
SYS1.DAE NONE
SYS1.DUMPxx NONE
SYS1.HELP READ
SYS1.IMAGELIB NONE
SYS1.JESPARM NONE
SYS1.JES3LIB READ
SYS1.LINKLIB READ
SYS1.LOGREC NONE
SYS1.LPALIB NONE or READ
SYS1.MACLIB READ
SYS1.MANx NONE
SYS1.MIGLIB READ
SYS1.MODGEN READ
SYS1.NUCLEUS READ
SYS1.OVERLIB READ
SYS1.PARMLIB NONE or READ
SYS1.PROCLIB READ
SYS1.SAMPLIB READ
SYS1.SAXREXEC NONE or READ
SYS1.STGINDEX NONE
SYS1.SVCLIB NONE
SYS1.TELCMLIB READ
SYS1.UADS NONE
SYS1.VTOCIX… NONE
SYS1.VVDS… NONE
SYS1.VTAMLIB READ
SYS1.VTAMLST NONE
Trace data sets NONE
User catalogs UPDATE
User dump data sets NONE

You should also consider creating a generic profile (catch all) to protect system datasets; for example:

SYS1.** UACC(NONE)

By doing this, you guarantee that any new datasets added to the system with HLQ of SYS1, are by default, protected. You can then add new, more specific profiles to protect those datasets.

For any data set that is listed with a UACC of READ or higher, you should consider creating an entry in the Global Access  Table (GAT).

 

Be the first to comment

Leave a Reply

Your email address will not be published.


*