z/OS In-Built Security Features

The following are the in-built security features that come with z/OS:

  1. System Authorization Facility (SAF):
    • SAF is part of the operating system.
    • SAF is available whether or not an additional security product such as RACF, ACF2 or Top Secret is installed.
    • If an additional security product is installed, SAF routes the questions using the SAF router to the security product and routes the answer back to the resource manager.
    • SAF builds the interface between the resource managers and the security product.
  2. Authorized Program Facility (APF):
    • The APF is a feature that allows system and user programs to use sensitive system functions.
    • Many system functions are sensitive (for example restricted SVCs) and therefore, these sensitive functions can be used only by authorized programs.
    • A program is authorized if one of the conditions is true:
      • Program runs in supervisor state (bit 15 in PSW=0).
      • Program runs in system protection key (bits 8-11 in PSW contains key 0-7).
      • Program runs as part of an authorized job step task (JSCBAUTH=1). This task is set if the initial program is marked AC=1 and if it is loaded from an APF authorized library or from the LPA.
  3. Program Property Table (PPT):
    • The PPT contains a list of programs that require special attributes.
    • These attributes specify whether the programs can or cannot bypass security protection (password protection and RACF) and whether they run in a system key.
    • Programs with the NOPASS parameter are able to bypass password protection for password
      protected data sets and, thus, also bypass all RACF protection for RACF-protected resources.
    • The system key parameter indicates whether the program is authorized to run in a system key (keys 0 through 7) and is thus able to bypass system security controls.

Be the first to comment

Leave a Reply

Your email address will not be published.


This site uses Akismet to reduce spam. Learn how your comment data is processed.