Protecting z/OS System Datasets

It’s important to keep your z/OS system datasets protected. The table below, sets the advised security UACC settings to many of the system datasets.

For system data sets that are listed in with a UACC greater than NONE, you might prefer to specify UACC(NONE) and create an access control list (ACL) entry providing the access.

Dataset	UACC
APF libraries	NONE
Checkpoint data sets	NONE
Distribution library data sets	NONE
ISPF panel libraries	READ
JES2 offload data sets	NONE
Load libraries	READ
Master catalog	READ
Page data sets	NONE
PSF secure font data sets	NONE
PSF secure overlay data sets	NONE
PSF secure page segment data sets	NONE
RACF Databases (primary, backup and any copies)	NONE
RMF data sets	NONE
Security definitions data sets	NONE
SMP data sets	NONE
Swap data sets	NONE
SYS1.AMACLIB	READ
SYS1.AMODGEN	READ
SYS1.ASAMPLIB	READ
SYS1.BRODCAST	READ
SYS1.CMDLIB	READ
SYS1.DAE	NONE
SYS1.DUMPxx	NONE
SYS1.HELP	READ
SYS1.IMAGELIB	NONE
SYS1.JESPARM	NONE
SYS1.JES3LIB	READ
SYS1.LINKLIB	READ
SYS1.LOGREC	NONE
SYS1.LPALIB	NONE or READ
SYS1.MACLIB	READ
SYS1.MANx	NONE
SYS1.MIGLIB	READ
SYS1.MODGEN	READ
SYS1.NUCLEUS	READ
SYS1.OVERLIB	READ
SYS1.PARMLIB	NONE or READ
SYS1.PROCLIB	READ
SYS1.SAMPLIB	READ
SYS1.SAXREXEC	NONE or READ
SYS1.STGINDEX	NONE
SYS1.SVCLIB	NONE
SYS1.TELCMLIB	READ
SYS1.UADS	NONE
SYS1.VTOCIX…	NONE
SYS1.VVDS…	NONE
SYS1.VTAMLIB	READ
SYS1.VTAMLST	NONE
Trace data sets	NONE
User catalogs	UPDATE
User dump data sets	NONE

You should also consider creating a generic profile (catch all) to protect system datasets; for example:

SYS1.** UACC(NONE)

By doing this, you guarantee that any new datasets added to the system with HLQ of SYS1, are by default, protected. You can then add new, more specific profiles to protect those datasets.

For any data set that is listed with a UACC of READ or higher, you should consider creating an entry in the Global Access  Table (GAT).