The following are the in-built security features that come with z/OS:
- System Authorization Facility (SAF):
- SAF is part of the operating system.
- SAF is available whether or not an additional security product such as RACF, ACF2 or Top Secret is installed.
- If an additional security product is installed, SAF routes the questions using the SAF router to the security product and routes the answer back to the resource manager.
- SAF builds the interface between the resource managers and the security product.
- Authorized Program Facility (APF):
- The APF is a feature that allows system and user programs to use sensitive system functions.
- Many system functions are sensitive (for example restricted SVCs) and therefore, these sensitive functions can be used only by authorized programs.
- A program is authorized if one of the conditions is true:
- Program runs in supervisor state (bit 15 in PSW=0).
- Program runs in system protection key (bits 8-11 in PSW contains key 0-7).
- Program runs as part of an authorized job step task (JSCBAUTH=1). This task is set if the initial program is marked AC=1 and if it is loaded from an APF authorized library or from the LPA.
- Program Property Table (PPT):
- The PPT contains a list of programs that require special attributes.
- These attributes specify whether the programs can or cannot bypass security protection (password protection and RACF) and whether they run in a system key.
- Programs with the NOPASS parameter are able to bypass password protection for password
protected data sets and, thus, also bypass all RACF protection for RACF-protected resources.
- The system key parameter indicates whether the program is authorized to run in a system key (keys 0 through 7) and is thus able to bypass system security controls.